Tag Archives: Group Policy Objects

GPO – PowerShell – Intune – Add additional DNS Client Servers across the enterprise

16 Aug

Let’s say you have the entire Windows member server fleet of Windows Server 2016/2019/2022, Windows 11 Pro/Enterprise etc., using DNS Server 1 and Server 2 within their TCP-IP properties and now you decide to add DNS Server address 3 and Server 4 to the member servers to increase resiliency.

In the blog post, I will demonstrate how you can add the additional DNS Server using Group Policy Object and PowerShell with your enterprise.

What doesn’t work?

It would be best if you didn’t waste time – The GPO Computer Configuration –> Administrative Templates –> Network –> DNS Client –> DNS Servers doesn’t work. The “Supported On” version doesn’t include Windows Server 2016\Windows 10 in the compatibility. Even if you apply this GPO, it will apply to the server within the registry, but there will be no visible change under the TCP-IP properties.

Prerequsites

We are going to implement this configuration via group policy object within the enterprise:

  • The necessary active directory permissions to create, apply and link the GPOs
  • Access to the Sysvol folder to store the script
  • WMI Filters to target the script\GPO to specific subnets (More details below)

PowerShell Script for DNSClient (Additional DNS Servers)

Save the below script and place it within the location – \\DOMAINNAME\SYSVOL\DOMAINNAME\scripts\SetDNSAddress.ps1″

  • Please enter the proper DNS Server Address within the script based on your environment and requirements.
$dnsclient=Get-DnsClient  | Get-DnsClientServerAddress | where{$_.ServerAddresses -contains "192.168.0.3" -or $_.ServerAddresses -contains "192.168.0.4"}
foreach($nic in $dnsclient){
Set-DnsClientServerAddress -InterfaceIndex $nic.InterfaceIndex -ServerAddresses ("192.168.0.3","192.168.0.4","192.168.0.5","192.168.0.6")
}

Create the GPO (Additional DNS Servers)

On a member server with administrative privileges, press Win + R to open the Run box. Type gpmc.msc and press Enter to open the Group Policy Management Console.

  • In the GPMC, expand the forest and domain trees on the left pane to locate the domain you want to create the GPO in.
  • Right-click on “Group Policy Objects” under the domain and select “New” to create a new GPO.
  • In the “New GPO” dialog box, provide a name for the GPO (e.g., “Additional DNS Servers”) and click “OK”.
  • Right-click on the newly created GPO and select “Edit” to open the Group Policy Management Editor.
  • Navigate to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks
  • Right Click on Scheduled Tasks > Configure the task as Immediate Task.
  • Give it a name – SetDNSClient
  • Set the user account as SYSTEM. It will automatically convert into NT Authority\system.
  • Set the check “run with highest privileges”
  • In the Actions tab, create a new “Start a program” action.
  • Set the Program as: PowerShell.exe
  • Set the Add Arguments point to this line, and modify including your network share and file: ExecutionPolicy Bypass -command “& \\DOMAINNAME\SYSVOL\DOMAINNAME\scripts\SetDNSAddress.ps1”
  • Set the following in common Tab. – “Apply once and do not reapply”

Bonus Tip – WMI Filters

You want to target the GPO to a specific set of member servers who’s IP range starts with a particular IP address. Then you can create a WMI filter such as the below to target particular computers that meet the below range. In the below example, the GPO will apply to the machine starting with IP Address 10.XX OR 10.XX.

Select * FROM Win32_IP4RouteTable
WHERE (Mask='255.255.255.255'
AND (Destination Like '192.168.%' OR Destination Like '192.169.%'))

Intune (Configuration Profiles – Doesn’t Work)

As of writing the blog post the Intune built-in setting\CSP is showing similar behaviour like the DNS Server GPO it doesn’t work.

CSP

Under both situations (CSP & ADMX templates), the report says the policy is applied successfully. However, there is no visible impact on the operating system’s TCP-IP properties. I am optimistic that using the Scripts method and PowerShell can achieve the same results in Intune. Please let me know in the comments sections if you got it working or/else if you would like to see a blog post on using Intune Scripts to set the DNS Client on member servers.

Following are the references and important links worth going through for more details:

DescriptionLinks
Static DNS Servers via GPOUpdate DNS static servers in your local Network (itdungeon.blogspot.com)
DNS Server GPO doesn’t workDNS Server GPO Settings Invisible in IPConfig – CB5 Solutions LLC (cbfive.com)

I hope you will find this helpful information for applying additional DNS servers via the GPO and PoweShell. I want to thank my friend Eqbal Hussian for his assistance and additional rounds of testing\validations. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

PowerShell – GPO Analysis – Search for a specific or list of GPO Setting across multiple GPOs within a domain

20 Jul

Suppose you’ve ever had to search for a particular or a list of GPO settings across a large number of Group Policy Objects (GPOs) within your domain. In that case, you know how tedious it can be to find specific settings across hundreds or thousands of GPOs. PowerShell comes to the rescue with a powerful script that can search for GPO settings across all your existing GPOs and generate an organized CSV output. In this blog post, we’ll walk you through the process and ensure you have all the prerequisites to get started.

Usecase

You have approx. 50 to 60 GPO settings from the Center of Internet Security (CIS) benchmark policies document (CIS Microsoft Windows Desktop Benchmarks/CIS Microsoft Windows Server Benchmarks), which you may want to search against your domain, whether they are already preconfigured\existing available within a GPO or not present in the environment. Instead of searching manually one by one, you may want to use the below PowerShell to get results like a champion.

Prerequisites

Before using the PowerShell script, ensure you have the following prerequisites in place:

  1. Windows PowerShell version 5.0 and above
  2. Active Directory Module for Windows PowerShell
  3. Permissions: Ensure you have sufficient permissions to access and analyze GPO settings. Typically, you need to be a member of the Domain Administrators group or have equivalent privileges.
  4. Execute the script from a member server that is part of the domain and has the necessary permissions.
  5. Prepare the input file (inputgpo.txt) and enter the GPO setting one per line and save the file. In my situation, it’s present in C:\Temp
Relax minimum password length limits
Allow Administrator account lockout
Generate security audits
Impersonate a client after authentication
Lock pages in memory
Replace a process level token
Accounts: Block Microsoft accounts
Interactive logon: Machine inactivity limit
Microsoft network server: Server SPN target name validation level
Network access: Remotely accessible  registry paths
Network security: Configure encryption types allowed for Kerberos
Audit Security State Change
Do not allow password expiration time longer than required by policy
Password Settings: Password Complexity
Password Settings: Password Length
Password Settings: Password Age (Days)

PowerShell Script

Now that you have the prerequisites in place, let’s dive into the PowerShell script. GitHub – avdwin365mem/GPOSettingsSearch at main · askaresh/avdwin365mem (github.com)

  • Enter the name of your domain (E.g askaresh.com)
  • Make sure the Input file is present in C:\Temp
#Domain
$DomainName = "askaresh.com"

# Initialize matchlist
$matchlist = @()

# Collect all GPOs
$GPOs = Get-GPO -All -Domain $DomainName

# Read search strings from text file
# A list of GPOs settings you want to search
$SearchStrings = Get-Content -Path "C:\Temp\inputgpo.txt"

# Hunt through each GPO XML for each search string
foreach ($searchString in $SearchStrings) {
    $found = $false
    foreach ($gpo in $GPOs) {
        $GPOReport = Get-GPOReport -Guid $gpo.Id -ReportType Xml
        if ($GPOReport -match $searchString) {
            $match = New-Object PSObject -Property @{
                "SearchString" = $searchString
                "GPOName" = $gpo.DisplayName
            }
            $matchlist += $match
            $found = $true
        }
    }
    if (-not $found) {
        $match = New-Object PSObject -Property @{
            "SearchString" = $searchString
            "GPOName" = "No results found"
        }
        $matchlist += $match
    }
}

# Output results to CSV, Search results

# This step will take time depending how many 100's or 1000's policies present in the enviornment
$matchlist | Export-Csv -Path "C:\Temp\gposearch.csv" -NoTypeInformation

Output (Results)

The ouput will look like the following within CSV:

I hope you will find this helpful information for searching GPO settings across 100’s and 1000’s of GPOs within your domain. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , ,