Posted by robd
on May 13, 2019
Group Policies /
No Comments
Pretty easy one but dont think its on my blog, here’s how to clear down the GPO cache meaning it will pull down correctly:
- Open My Computer/Computer
- Go to: %windir%\system32\GroupPolicy
- Delete everything in the folder.
- Then delete: C:\ProgramData\Microsoft\Group Policy\History
- Restart the computer to re-apply the group policies
If that doesnt do what you need it to:
- Delete the “HKLM\Software\Policies\Microsoft” Key
- Delete the “HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects”
- Delete the “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies”
Worse case:
- Remove the computer from the domain
- Restart computer
- Run gpupdate /force
- Rejoin the domain
Tags: GPO, Group Policy, Registry
Posted by robd
on January 23, 2019
Encyrption /
No Comments
We have two GPO’s one for TPM 1.2 and one for TPM 2.0, the reason being is TPM 1.2 is not compataible with 256 encryption.
Here’s a handy table Dell have produced:
https://www.dell.com/support/article/us/en/04/sln312590/tpm-12-vs-20-features?lang=en
| Algorithm Type |
Algorithm Name |
TPM 1.2 |
TPM 2.0 |
| Asymmetric |
RSA 1024 |
Yes |
Optional |
|
RSA 2048 |
Yes |
Yes |
|
ECC P256 |
No |
Yes |
|
ECC BN256 |
No |
Yes |
| Symmetric |
AES 128 |
Optional |
Yes |
|
AES 256 |
Optional |
Optional |
| Hash |
SHA-1 |
Yes |
Yes |
|
SHA-2 256 |
No |
Yes |
| HMAC |
SHA-1 |
Yes |
Yes |
|
SHA-2 256 |
No |
Yes |
We then use WMI filtering to distinguish TPM 1.2 from 2.0.
The TPM 1.2 WMI filter:
Namespace:
root\cimv2\security\microsofttpm
Query:
Select * from win32_tpm WHERE SpecVersion like "%1.2%"
The TPM 2.0 WMI filter:
Namespace:
root\cimv2\security\microsofttpm
Query:
Select * from win32_tpm WHERE SpecVersion like "%2.0%"
Tags: bitlocker, Group Policy, WMI
Posted by robd
on May 08, 2014
DNS /
No Comments
Hi All,
My company uses a sub domain for a satellite office, all works fine and replication takes places etc etc.
The problem I had was with DNS. I’m based in Contoso.local and I cannot ping any device the sub-domain Sub.contoso.local without fully qualifying the domain.
For example if I ping a server1 on the subdomain using
"Ping Server1"
DNS cannot route the command where as if I type
"Ping Server1.sub.contose.local"
it works fine.
I’ve checked DNS on Contoso.local and there are conditional forwarders to Sub.contoso.local:
So how can I get around this?? The answer is to add a DNS Suffix locally or to all the domain devices via group policy:
Group policy:
Computer Policy > Policies > Administrative Templates > Network/DNS Client > DNS Suffix Search List.
Then GPUPDATE /force your client and run IPCONFIG /ALL and you should see:
Tags: AD, CMD, DNS, domain, Group Policy, Server 2008, subdomain
