Systems Admin Archives - Page 14 of 19

Systems Admin

Setting PowerShell Execution Policy with Group Policy in Windows Server 2022

Default Windows 10/11 PowerShell policy is Restricted - .ps1 files are blocked, only interactive commands run. The right way to change that fleet-wide is one GPO at Computer Configuration / Administrative Templates / Windows Components / Windows PowerShell / Turn on Script Execution. Walks the round trip end to end on Windows Server 2022 + a Win10 client: verify the default Restricted state, create the GPO and set RemoteSigned (Allow local scripts and remote signed scripts), link to a pilot Test Computers OU, gpupdate /force + reboot on the client, confirm Get-ExecutionPolicy now reports RemoteSigned, then flip the GPO to Disabled to demonstrate rollback (returns to Restricted). Includes the five execution policies (Restricted / AllSigned / RemoteSigned / Unrestricted / Bypass), Get-ExecutionPolicy -List interpretation (MachinePolicy beats everything when the GPO is in effect), and the six common pitfalls (computer-vs-user OU link, missed reboot, Unrestricted-as-default, Not-Configured-vs-Disabled rollback semantics, mixed user+computer policies, and the powershell.exe -ExecutionPolicy Bypass admin-bypass that means execution policy is a safety not a security boundary - pair with AppLocker or WDAC for real restriction).

Systems Admin

Configure Roaming Profiles for Active Directory User Accounts

A roaming profile follows the user across machines - sign into PC-A, then PC-B, and the same desktop, files, and app settings appear. Five-step setup on Windows Server 2022: AD security group (Roaming Profiles Users), hidden SMB share (profiles$ with access-based enumeration and a custom ACL granting only Create-Folders to the security group on This folder only), user profile path attribute set to \\\\\\profiles$\\%username%, GPO 'Add the Administrators security group to roaming user profiles' linked to the client OU (must be in place BEFORE first roaming logon - not retroactive), then verify on a Windows 10/11 client (gpupdate, sign in, drop a Test folder on the desktop, sign out / in, browse the share, confirm sysdm.cpl reports profile Type: Roaming). Includes the .V6 profile-version suffix explainer (different OSes get separate folders), the logon/logoff lifecycle, and the seven common pitfalls (path-before-share trap, forgotten Admins GPO, caching-on-the-share, mixed-OS .V6 collisions, profile bloat without limits).

Systems Admin

Windows Server 2022 Hardware Requirements

The minimum hardware floor for Windows Server 2022, with the technical reasoning behind each spec. CPU: 1.4 GHz x64 with DEP/NX/SLAT (use systeminfo to verify Hyper-V Requirements). RAM: 512 MB for Server Core, 2 GB for Server with Desktop Experience; ECC strongly recommended on physical hardware. Disk: 32 GB base, +4 GB for GUI; RAM > 16 GB scales pagefile.sys / hiberfil.sys / dump files (powercfg -h off reclaims hibernation space on servers that do not need it). Network: 1 Gbps PCIe-compliant Ethernet. TPM: optional in general, required for BitLocker, UEFI Secure Boot measurement, Credential Guard, and VBS - TPM 2.0 standard on modern servers. Includes the practical-vs-documented-minimum comparison table - the documented numbers are install-floors, real production sizing is several times higher on every dimension.

Systems Admin

Active Directory Logical Components and Partitions

Active Directory has both physical and logical components. The logical side is what shapes how identity actually works - which objects exist, which DCs replicate which data, where to look for a setting. This article covers the five core logical components (Schema, OUs, Forest, Domain, AD DS Database) and the four partitions inside the database (Schema, Configuration, Domain, Application = DomainDnsZones + ForestDnsZones). Walks ADSI Edit inspection of each: connect to the Configuration well-known naming context, drill to CN=Partitions for the self-description; connect to Schema for classSchema and attributeSchema objects; connect to Default naming context for the Domain partition (matches ADUC); type explicit DNs for DomainDnsZones and ForestDnsZones to see how AD-integrated DNS records are stored. Includes the replication-reach matrix (which partitions replicate forest-wide vs domain-only), the Global Catalog partial-attribute subset, the Computers/Users-are-containers-not-OUs gotcha (use redirusr/redircmp), and the schema-extension-is-permanent caveat.

Systems Admin

Configure Advanced Audit Policies in Active Directory

Active Directory does not audit security-relevant events out of the box. The legacy 9-category basic audit policy is high-volume and low-resolution; the right tool for granular AD audit is Advanced Audit Policy Configuration with its ~60 subcategories. Walks the full pipeline: create a dedicated GPO, enable two representative subcategories (DS Access -> Audit Directory Service Changes, Object Access -> Audit File System) with Success+Failure, link the GPO to the Domain Controllers OU, force gpupdate, then verify by creating a Test GPO and confirming Event ID 5137 fires on the DC's security log with the matching GUID. Includes a reference table of useful event IDs (4624/4625 logon, 4720/4726/4738 account, 5136-5141 directory service, 4663 file system), the SCENoApplyLegacyAuditPolicy basic-vs-advanced split, the SACLs-required-for-File-System gotcha, the default-16MB-security-log gotcha, and pointers to Windows Event Forwarding and SIEM ingestion for handling volume.

Systems Admin

Comprehensive Guide to Group Policy Objects (GPO): Theory and Best Practices

The conceptual reference for Group Policy: what GPOs actually are, the difference between local and domain GPOs, the two built-in defaults (Default Domain Policy and Default Domain Controllers Policy) and why you should not modify them for general settings, the Computer-Configuration vs User-Configuration split, what GPOs can and cannot be linked to (sites/domains/OUs yes; individual user/computer accounts no), administrative templates (ADMX = engine, ADML = dashboard labels), GPO scope (link + Security Filtering + WMI Filtering + Item-Level Targeting for Preferences), and the LSDOU processing order with last-write semantics. Walks inheritance / Block Inheritance / Enforced precedence (Enforced beats Block), the GUI tools (gpmc.msc, gpedit.msc) and CLI tools (gpupdate, gpresult, LGPO.exe, the GroupPolicy PowerShell module), every GPO attribute (Name, GUID, Links, Security Filtering, WMI Filtering, Version Number, Enabled/Disabled state), and the Azure AD DS differences (no site links, no software deployment, predefined OUs, AAD DC Administrators group). Includes seven best practices and cross-links to the practical articles in the pathway.

Systems Admin

Raise Active Directory Domain and Forest Functional Level

Raising AD functional level is a one-way change that unlocks newer features (PAM at 2016 forest, Protected Users at 2012 R2 domain, AD Recycle Bin at 2008 R2 forest) and removes support for older Windows Server DCs. The wizard click is fast; the pre-flight is where rollout time lives. Walks the full end-to-end procedure: replication health checks (repadmin /replsummary, Get-ADReplicationFailure), DC OS-version inventory (Get-ADDomainController), raise each domain via Active Directory Domains and Trusts (right-click domain - Raise Domain Functional Level - pick target - Raise - confirm), then raise the forest (right-click root - Raise Forest Functional Level), verify both via Properties dialog and Get-ADForest / Get-ADDomain PowerShell, then post-raise housekeeping (repadmin /syncall, Restart-Service kdc on each DC). Includes the order-matters rule (every domain must be at the new level before the forest dropdown will offer it), the FRS-to-DFS-R prerequisite for 2016, the powered-off-DC trap, and the irreversibility caveats.

Systems Admin

Forest and Domain Functional Levels in Active Directory: Theory

Functional levels are the rule book that controls what an Active Directory forest and the domains in it can do. They lock the minimum Windows Server version DCs can run, gate the features available across the directory, and shape every upgrade plan. Two attributes, two scopes - forest functional level (the floor for the whole forest) and domain functional level (per-domain, must be >= forest level). The current ceiling is Windows Server 2016; 2019 and 2022 DCs run at the 2016 level. Functional levels apply only to DCs - workstations and member servers can run any Windows version. Walks the theory: schema vs forest vs domain, the forest-beats-domain rule, the features unlocked at each level (DFS-R for SYSVOL at 2008, AD Recycle Bin at 2008 R2, gMSA at 2012, Protected Users at 2012 R2, PAM at 2016), the GUI check (Active Directory Domains and Trusts) and PowerShell check (Get-ADForest / Get-ADDomain), the FRS-to-DFS-R prerequisite for raising to 2016, and the four common misconceptions (functional level does NOT control client OS, does NOT speed up DCs, etc.).

Systems Admin

Backup and Restore Group Policy Objects (GPOs)

GPOs can be deleted in two clicks; AD replicates the deletion to every DC, SYSVOL files vanish, and clients drop the policy at next refresh. AD Recycle Bin restores the container in AD but not the SYSVOL GPT files where the actual policy settings live - so per-GPO backup is its own discipline. Walks the full GPMC lifecycle: Back Up All... for a fleet snapshot, Back Up... for one GPO before a risky edit, Manage Backups... for preview-then-restore (View Settings opens an HTML report, Restore overwrites the live GPO), and the manual re-link step that the backup does NOT capture. Plus the PowerShell-only equivalent (Backup-GPO -All / Restore-GPO -Name) for scheduled / scripted use. Includes the four pitfalls (no description = uninformative Manage Backups list, backup-on-the-DC-fails-with-the-DC trap, untested-backup wishful thinking, View-Settings-first habit) and the link-map documentation gotcha.

Systems Admin

Change the Retention Period in AD Recycle Bin

AD Recycle Bin defaults to a 180-day recovery window - long enough that 'please restore the user my predecessor deleted last quarter' lands on day 181. Two attributes on CN=Directory Service control end-to-end retention: msDS-DeletedObjectLifetime (Recycle Bin window, fully recoverable with Restore-ADObject) and tombstoneLifetime (permanent-death horizon, garbage collection cutoff). Walks the ADSI Edit edit: connect to the Configuration partition, navigate CN=Configuration / CN=Services / CN=Windows NT / CN=Directory Service, raise both attributes from 180 to 365 (always tombstoneLifetime first - the directory enforces DOL

Systems Admin

Block Windows Store, Xbox, Solitaire, or Any Built-In App with Group Policy

Remove-AppxPackage disappears the next time provisioning runs the OS image; the right tool for keeping consumer UWP apps (Microsoft Store, Xbox, Solitaire, Mixed Reality Portal) off business endpoints is AppLocker Packaged app Rules pushed by Group Policy. Walks the full GPO end-to-end: create + link a new GPO at the OU/domain root, configure the Application Identity service to start automatically (AppLocker's hard dependency), import a 132-rule AppLocker baseline XML, scope the rules with either publisher exceptions on broad Allow rules or explicit per-package Deny rules, switch enforcement mode from Audit-only to Enforce rules, gpupdate, verify on a domain-joined client (Application Identity running, Microsoft Store / Xbox / Solitaire all hit 'This app has been blocked by your system administrator'). Includes the SKU gotcha (AppLocker only enforces on Enterprise / Education, not Pro / Home), the audit-only safety net, the AppLocker event-log IDs (8020 = blocked, 8021 = would-be-blocked) for reporting, and the local-admin-bypass test trap.

Systems Admin

Backup and Restore AD-Integrated DNS Zones

AD-integrated DNS zones live in the directory database, not in flat .dns files - which means a Windows Server system-state backup catches them but only restores via a full authoritative restore in DSRM. For per-zone recovery (accidental delete, single-zone corruption), the right tool is dnscmd /zoneexport (or Export-DnsServerZone) for backup and the New Zone Wizard + zone-type conversion for restore. This article walks the full round trip: export fortesting.local and _msdcs.fortesting.local to .dns.backup files, simulate the disaster by deleting both zones, restore each as a standard Primary zone via the New Zone Wizard (with the rename-the-backup-file trick the wizard requires), then convert back to AD-integrated and tighten dynamic updates to Secure only. Includes the forest-wide replication-scope gotcha for _msdcs (default is domain-wide after conversion - has to be manually widened to forest), the off-server-copy requirement (the export drops files on the DC's own disk), and the verification commands.