Microsoft BitLocker TPM Initialization in Domain

First set the OU containers permissions to allow the NTSELF user of systems to write back TPM-ownerinformation, required when first initializing the TPM client:

1. Open Active Directory Users and Computers.

2. Select the OU where you have all computers which will have Bitlocker turned ON.

3. Right Click on the OU and click Delegate Control.

4. Click Next and then click Add.

5. Type SELF as the Object Name.

6. Select create a custom task to delegate.

7. From the object in the folder, select Computer Objects.

8. Under show these permissions, select all 3 checkbox.

9. Scroll down in permissions and select the attribute Write msTPM-OwnerInformation.

10. Click Finish.

11. CUSTOM: Now add the computer to the AD Group named “bitlocker”

12. CUSTOM: Finally power up client, turn on TPM and then initialize TPM in Windows

13. CUSTOM: Enable bitlocker (must be logged in as local/domain admin) and check AD comp object for keys

Next follow the MS article on configuring AD / Bitlocker

http://technet.microsoft.com/en-us/library/cc766015(v=ws.10).aspx

 

To manage the keys you’ll need to register the BitLocker viewer from RSAT as detailed by MS here http://support.microsoft.com/kb/928202

Must be run as a domain admin:     regsvr32.exe BdeAducExt.dll

 

 

Manage System restore and Shadow Copies from the command line

thanks to http://www.ghacks.net/2012/10/05/manage-system-restore-from-the-command-line/

  • vssadmin list shadows – This command lists all existing shadow copies on the system
  • vssadmin delete shadows /for=c: /oldest – This command deletes the oldest shadow copy on drive C
  • vssadmin delete shadows /for=d: /all – This command deletes all existing shadow copies on drive D
  • vssadmin delete shadows /for=c: /shadow=ID – Deletes the selected shadow copy. The IDs are listed when you use the list shadows command.
  • vssadmin resize shadowstorage /for=c: /maxsize=2GB – Sets the shadow storage for drive C to 2 Gigabyte. May delete existing restore points starting with the oldest if space is not sufficient to store all System Restore points

Allow Users to bind machines to domains

Use the delegate Control wizard inside AD against the top level domain listing (not OU). You can then select “Join Domain” as a security option for your chosen user(s)/group(s).

 

Be sure to check for the group policy too, “Default Domain Policy” > Computer Configuration > Windows Settings > Security Settings > Local Policies > “Add Workstations to Domain”

Windows 2003+ domain – Prevent users adding computers to domain

1.       Open run and type ADSIEDIT.msc (may need to register adsiedit.dll on server first)

2.       Right click ADSIedit and choose connect to

3.       In the connection point section ,chose select A well Known Naming Context and ,from the drop-down list choose Default naming context

4.       Click OK

5.       Expand default naming context

6.       Right click the DC=mydomain,dc=local domain folder and choose properties

7.       Select ms-DS-MachineAccount Quta and click edit

8.       Type 0

9.       Click OK

http://support.microsoft.com/kb/243327

WAIK Disable UAC

Addition to WAIK sysprep xml to disable UAC

 http://social.technet.microsoft.com/Forums/en-US/dc625f8b-9a51-4dc0-a573-8cc23cee12f8/can-uac-be-disabled-via-unattendxml-for-server-2008-deployments?forum=mdt

<component name=”Microsoft-Windows-Deployment” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<RunSynchronous>
<RunSynchronousCommand wcm:action=”add”>
<Order>1</Order>
<Path>net user administrator /active:yes</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action=”add”>
<Order>2</Order>
<Path>cmd /c reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 0 /f</Path>
<Description>Disable EnableLUA</Description>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action=”add”>
<Order>3</Order>
<Path>cmd /c reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f</Path>
<Description>ConsentPromptBehaviorAdmin</Description>
</RunSynchronousCommand>
</RunSynchronous>
</component>

 

trust relationship failed, windows domain

HKLM\System\CurrentControlSet\services\Netlogon\Parameters

Change the value:

DisablePasswordChange=1

 

2016-07-21 UPDATE:

Discovered this thread which mentions using PowerShell to reset the machine password, if you haven’t completed the registry change:

Open PowerShell as administrator. Run this command sequence:

$credential = Get-Credential

(enter domain admin account when prompted)

Reset-ComputerMachinePassword -Server <<YOUR DC NAME HERE>>

Thanks to: https://community.spiceworks.com/how_to/108912-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed

VBScript & Fonts on Windows 7

Some VBScript pulled from experts-exchange.com.

This sub routine takes two inputs, filename (registry name of Font as found in
[HKLMSoftwareMicrosoftWindows NTCurrentVersionFonts]
) and the fully qualified filename of the font on the system and then deletes them both:

Remove_Font "Helvectiva XXXXXXXX", "c:windowsfontsHELNLTPR.TTF"

Sub Remove_Font(strFontName, strFile)

	Set oFSO = CreateObject("Scripting.FileSystemObject")
 	Set oShell = CreateObject("WScript.Shell")
	' If the file exists
	If oFSO.FileExists(strFile) Then
		' Delete the file
		oFSO.DeleteFile strFile, True
		On Error Resume Next
		oShell.RegDelete "HKLMSoftwareMicrosoftWindows NTCurrentVersionFonts" & strFontName
		If Err.Number = 0 Then
			MsgBox strFile & " was removed."
		Else
			MsgBox strFile & " was deleted, but the registry key still exists."
		End If
		Err.Clear
		On Error GoTo 0
	Else
		MsgBox strFile & " was not found."
	End if

	Set oFSO = Nothing

End Sub

Mac OSX 802.1x Profile Removal

sudo mv /Library/Preferences/SystemConfiguration/com.apple.network.eapolclient.configuration.plist /Library/Preferences/SystemConfiguration/com.apple.network.eapolclient.configuration.plist.good