I have a Windows Server 2012 R2 on which a policy needs to be set. This policy should logoff a user if it is disconnected or idle for more than 2 hrs.
One twist is, I have a user with name 'Invo' which should not get kicked out due to this policy.
Depending on your setup, I take it that the user is part of the OU the other users that you want to apply this GPO to. Other thing you could look at is using security filtering to only apply the GPO to a certain group or people, but this also would depend on the amount of users you have.
Related
I just stated working with a company that uses google workspace. They have a group distribution list that sends email to all users container. However, within all users container, there is also a container for Terminated Employees. Is there a way to set up the distribution list so that it doesn't forward the emails to the Terminated Users Container?
thanks,
Glenn
In this scenario you have two straight forward options so users stop getting those emails:
Remove terminated or suspended users from the group membership. Here you can check how to do it. https://support.google.com/a/answer/10284003
If for some reason you don't want to remove the user from that distribution list, you can disable the user from getting those group messages.
go to groups.google.com and choose the group in question.
Go to members, you will see all users in that group and under the "subscription" column choose "No email". That will stop the user from getting those group inbound messages.
For the second option you need to have the group "Owner" role otherwise you will have to login into the terminated user session to make these changes.
Specifically I'm trying to implement a block removable storage policy.
Let's say I have 100 computers named PC1-PC100. PC1-PC10 need to allow removable storage no matter whom logs in. Additionally, a couple user accounts need access to removable storage no matter what computer they log into.
I have tried this by creating a security group, adding the computers list to it, creating a policy that targets Authenticated Users which blocks removable storage at the user level, and then added delegations for the whitelisted computer security group and the 2 user accounts, with a Deny for Apply Group Policy. The delegations worked for the 2 user accounts, but removable storage did not work on the computers in the security group unless the 2 mentioned accounts were logged in.
Can someone kindly point me in the right direction? Thanks!
I am trying to unlock several accounts in Active Directory through PowerShell, but I can't figure it out how to link every condition into the query
The conditions are:
-The account should be enabled
-It shouldn't be "memberof" some groups (whose I'm not able to unlock, like Administrators)
I don't have full control over accounts, I'm not able to unlock some of them, due to my privileges, so I'll be very helpful if can you help me to know or simple discard the accounts that I'm not able to unlock
I've just tried this
Search-ADAccount -LockedOut | Unlock-ADAccount
(Very poor attempt, i know, I'm very new on this technology)
But gives me an error because of my account's privileges
It says: access rights are insufficient to perform the action.
The error is the same for different CN accounts
But gives me errors because of my account's privileges
That 's' in "errors" is key. If you're getting more than one error, that means that errors don't stop it from continuing on to the next account. That is, actually, how PowerShell works by default.
So what you are doing is already working the way you want it to: it is unlocking all the accounts that you have access to.
Of course, this is just a band-aid on the real problem. It won't eliminate calls for the problem accounts, and it undermines the added security you get by locking accounts in the first place.
I'm able to unlock some accounts, but when I run the command
Unlock-ADAccount, I think it try to unlock accounts like
administrator, some disabled acc, for which I don't have permission to
modify, but if I run that command on an individual "regular" account,
it gets unlocked
This due to the blocking of inheritance of permissions applied to domain Admins accounts & due to Security Descriptor propagator (SDPROP)....
It's not recommended, as it's a critical mechanism in my opinion, but you might :
create a specific delegation for a group
and append this group to the Access Control Entry (ACE) of this kind of template folder for admin permissions: 'CN=AdminSDHolder,CN=System,DC=example,DC=com' (with the help of LDP.exe)
To make a long story short, we have some staff punctuality issues where we'd like to setup some type of report / monitor that would send supervisors login time stamps during morning hours mostly. I don't know if this is possible through event logs or what not by scripting some type of report, however at this point I'm looking for solutions. Any suggestions?
LastlogonTimestamp is not synced in anything near real time. so that will not work for daily reporting.
i would collect the security logon events with the relevant Event ID's and work from there with the reporting.
an alternative is to scavenge the LastLogon property from user objects. But that is non-replicated attribute so you would need to read that for a user from all DC's or where it exists.
We're about to de-federate our Office365 domain from using adfs2.0 to using passwords sync'd with Azure AD Sync.
We understand the process to need us to run Convert-MsolDomainToStandard, and then force a re-sync of our password with Azure AD Sync. All good so far.
First question. What powershell can we run to confirm that all our passwords are re-syncing OK on the Azure/365 side? For example, can we get the last password sync time for each user? (not last password change time - that's different!) We really need confidence to pull the trigger on this with 18,000 users.
Second question. After we run this, what powershell can we run to ensure all users have been de-federated properly? A belts and braces check that they've all been correctly updated. I've seen that a lot of people de-federating have had to use Convert-MsolFederatedUser for some users after Convert-MsolDomainToStandard crashed out. What attributes would mark an Azure user as using federated logon rather than managed?
You can review the Application Event log to check if the password sync for every federated user is successful, as well as the sync time.
The Event ID 650 indicates that the password sync process started, and the Event ID 657 will show you users whose password sync is successful or not.
For the second question, I haven't found such powershell comlet to query if the users have been de-federated or not. However, when using the following cmdlet, you will get the users listed in the password.txt, which contains each federated users' temporary password. If you run the following cmdlet again, the users who have already been converted to de-federated will not be issued a new password, the temporary password column will be changed to N/A after the full password sync is completed. So, you can confirm if a user is de-federated or not based on this by examining the password files.
Convert-MsolDomainToStandard -DomainName federated Domain name -SkipUserConversion $false -PasswordFile c:\password.txt
Finally, more references around this can be found here:[1] and [2].