Deploying File/Folder security using group policy on 64 bit OSes?

Take a gander at this KB Article http://support.microsoft.com/kb/2003730

Group Policy Error Events Logged When Unknown Environment Variable Is Used

View products that this article applies to.

Expand all | Collapse all

If you are running an Active Directory forest and using a file system security policy you may see the following events logged:

Log Name: Microsoft-Windows-GroupPolicy/OperationalSource: Microsoft-Windows-GroupPolicyEvent ID: 7016Task Category: NoneLevel: ErrorKeywords: User: SYSTEMDescription:Completed Security Extension Processing in 20984 milliseconds.Event Xml:
...
20984 1252 Security {827D319E-6EAC-11D2-A4EA-00C04F79F83A}

Windows XP and Windows Server 2003 will log this event in the Application log:

Event ID: 1091Category: NoneSource: UserenvType: ErrorMessage: The Group Policy client-side extension Security failed to log RSOP (Resultant Set of Policy) data. Please look for any errors reported earlier by that extension.

All Windows version will log this event in the Application log:

Event ID: 1202Category: NoneSource: SceCliType: WarningMessage: Security policies were propagated with warning. 0xd: The data is invalid.

Depending on the actual policy configuration, the settings in the security policies may or may not be present. The More Information section explains the conditions for policy failure or success (despite the errors).

Back to the top

Cause

The events are logged because the file system security settings of one policy contain an environment variable that is unknown on the client computer. To find out more about the problem, enable logging of the security configuration client-side extension:

324383 Troubleshooting SCECLI 1202 Events

In the %windir%\security\logs\winlogon.log file, you will see an entry such as:

Process GP template gpt0000x.inf.-------------------------------------------Error 13: The data is invalid. Error converting %PROGRAMFILES(X86)%\MyApplication.

%PROGRAMFILES(X86)% is only an example. It is used when the policy is edited on a 64-bit version of Windows and security settings are made for the folder C:\PROGRAM FILES (X86) or one of its subfolders.
The gpt0000x.inf file, a text file containing the policy settings, can be found in the %windir%\security\templates\policies folder. It also contains the location of the policy in Active Directory in the line starting with GPOPath, allowing you to identify which policy has the unknown environment variable.

Back to the top

Resolution

To avoid the problem, create a new policy at the same level that receives the settings referencing the missing environment variable. Then use a WMI filter to allow the policy to only apply to machines that have the environment variable defined.
For example, the WMI filter for %PROGRAMFILES(X86)% would be:

Select * from Win32_Envrionment where Name = 'PROGRAMFILES(X86)'

Replicating Directory Changes in filtered set

$Identity = "ENTERPRISE DOMAIN CONTROLLERS"

$RootDSE = [ADSI]"LDAP://RootDSE"
$DefaultNamingContext = $RootDse.defaultNamingContext
$ForestDNSZones = "DC=ForestDnsZones,$DefaultNamingContext"
$DOMAINDNSZones = "DC=ForestDnsZones,$DefaultNamingContext"
$UserPrincipal = New-Object Security.Principal.NTAccount("$Identity")

DSACLS "$ForestDNSZones" /G "$($UserPrincipal):CA;Replicating Directory Changes in Filtered Set"
DSACLS "$DomainDNSZones" /G "$($UserPrincipal):CA;Replicating Directory Changes in Filtered Set"

Event ID 22, 234 and multiple ForeFront certificates created after SharePoint backup

I came across this several times.......
Event ID 22, 234 and multiple ForeFront certificates created after SharePoint backup:

'via Blog this'

VMWare Physical to Virtual Conversion Speedup

Here is a powershell script I wrote that disables SSL for  P2V Conversions using VM converter. 

$xml = New-Object XML
Function FindIT {
#test to see if it's a vista or better
if (Test-Path "$env:programdata\VMware\VMware vCenter Converter Standalone\converter-worker.xml"){
$filelocation = "$env:programdata\VMware\VMware vCenter Converter Standalone\converter-worker.xml";return $filelocation }
#test to see if it's 2k3 or older
Elseif (Test-Path "$Env:AllusersProfile\Application Data\VMware\VMware vCenter Converter Standalone\converter-worker.xml"){
$filelocation = "$Env:AllusersProfile\Application Data\VMware\VMware vCenter Converter Standalone\converter-worker.xml";return $filelocation}
else {Return $false}
}

if(!($filelocation= FindIT) -eq $false){
$xml.load($filelocation)
if ($xml.Config.nfc.useSSl -eq "true") {
Write-Host "SSL is Enabled.  I'm backing it up and changing it."
if (Test-Path "$filelocation.old"){Remove-Item "$filelocation.old" -Force}
Rename-Item "$filelocation" -NewName "$filelocation.old"
$xml.Config.nfc.useSSl = "false"
$xml.Save("$filelocation")
}else{Write-Host "SSL is not enabled"}
} else { Write-Host "I didn't find it where I thought it should be... Sorry." }



Update:  I changed the hard coded path to $env:programdata for vista+
Update:  I changed the hard coded path to $Env:AllusersProfile for 2003-

Set Replicating Directory Changes for Sharepoint Userprofile service

Script to Set Replicating Directory Changes for Sharepoint Userprofile service.

This covers both aspects of the Replicating AD Permissions that need to be setup for sync process to work properly.  This was written as a result of reading http://www.harbar.net/articles/sp2010ups.aspx


Function Set-replicatingChanges{
param (
$domain,
$path)

#change this for your USER PROFILE SYNC Account
$user = "sp_userprofile"
$path
$acl = get-acl ".\$path"
#get sid of user
$objUser = New-Object System.Security.Principal.NTAccount($domain, $user)
$SID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])

$ReplicatingChangesGUID = new-object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
$act = [System.Security.AccessControl.AccessControlType]::Allow
$readProperty = [System.DirectoryServices.ActiveDirectoryRights]::ReadProperty
$GenericExecute = [System.DirectoryServices.ActiveDirectoryRights]::GenericExecute
$ExtendedRight = [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight

#sets permissions
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($SID, $ReadProperty, $act)
$ACL.addaccessrule($ace)
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($SID, $GenericExecute, "Allow")
$ACL.addaccessrule($ace)
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($SID, $ExtendedRight, "Allow",$ReplicatingChangesGUID)
$ACL.addaccessrule($ace)
Set-Acl -ACLObject $acl -Path ".\$path"

}

#ipmo activeDirectory #automate this
if (!(Get-Module -name activedirectory)){
if ((Get-Module -ListAvailable|?{$_.name -eq "activedirectory"})){ipmo activedirectory}
}
if (test-path ad:){cd ad:}else{Write-Host "I couldn't map to ad:" -ForegroundColor Red;break}

$domain =$env:USERDOMAIN
$configContainer=(gci|?{$_.Objectclass -eq "Configuration"}).DistinguishedName
$domainDN = (gci|?{$_.name -eq $domain}).DistinguishedName

set-replicatingChanges $domain $configContainer
set-replicatingChanges $domain $domainDN

Set IP Address via Powershell

I wanted to script a complete install from powershell for my lab enviroment.  So I knew i had to start with some plain old fashion calls to wmi and whatnot.  So I ended up googling it and came across Andy's post over at wordpress http://getpowershell.wordpress.com/2008/08/13/powershell-function-set-ipaddress/

So easily read and cleanly coded I wanted to share here as well, the only modifications that I changed was adding the requirement that parameters that have to be specified and out-null some responses.:



function Set-IPAddress {
param(  
[parameter(Mandatory = $true)][string]$networkinterface,
[parameter(Mandatory = $true)][string]$ip,
[parameter(Mandatory = $true)][string]$mask,
[parameter(Mandatory = $true)][string]$gateway,
[parameter(Mandatory = $true)][string]$dns1,
[string]$dns2,
[string]$registerDns = "TRUE"
)


$dns = $dns1
if($dns2){$dns ="$dns1,$dns2"}
$index = (gwmi Win32_NetworkAdapter | where {$_.netconnectionid -eq $networkinterface}).InterfaceIndex
$NetInterface = Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.InterfaceIndex -eq $index}|out-null
$NetInterface.EnableStatic($ip, $mask)|out-null
$NetInterface.SetGateways($gateway)|out-null
$NetInterface.SetDNSServerSearchOrder($dns)|out-null
$NetInterface.SetDynamicDNSRegistration($registerDns)|out-null
}

Powershell Community extensions command reference

http://www.codeplex.com/PowerShellCX

How did I get the list below for you?
 Get-Command|where {$_.modulename -eq "pscx"}|% {$_.name}

Add-DirectoryLength
Add-PathVariable
Add-ShortPath
call
Clear-MSMQueue
ConvertFrom-Base64
ConvertTo-Base64
ConvertTo-MacOs9LineEnding
ConvertTo-Metric
ConvertTo-UnixLineEnding
ConvertTo-WindowsLineEnding
Convert-Xml
cvxml
Disconnect-TerminalSession
Dismount-VHD
e
Edit-File
Edit-HostProfile
Edit-Profile
ehp
Enable-OpenPowerShellHere
ep
Expand-Archive
Export-Bitmap
fhex
Format-Byte
Format-Hex
Format-Xml
fxml
gcb
Get-ADObject
Get-AdoConnection
Get-AdoDataProvider
Get-AlternateDataStream
Get-Clipboard
Get-DhcpServer
Get-DomainController
Get-DriveInfo
Get-EnvironmentBlock
Get-FileTail
Get-FileVersionInfo
Get-ForegroundWindow
Get-Hash
Get-Help
Get-HttpResource
Get-LoremIpsum
Get-MountPoint
Get-MSMQueue
Get-OpticalDriveInfo
Get-PathVariable
Get-PEHeader
Get-Privilege
Get-PropertyValue
Get-PSSnapinHelp
Get-ReparsePoint
Get-ScreenCss
Get-ScreenHtml
Get-ShortPath
Get-TabExpansion
Get-TerminalSession
Get-TypeName
Get-Uptime
Get-ViewDefinition
gpv
gtn
help
igc
Import-Bitmap
Invoke-AdoCommand
Invoke-Apartment
Invoke-BatchFile
Invoke-Elevated
Invoke-GC
Invoke-Method
Invoke-NullCoalescing
Invoke-Reflector
Invoke-Ternary
Join-String
less
ln
lorem
Mount-VHD
New-Hardlink
New-HashObject
New-Junction
New-MSMQueue
New-Shortcut
New-Symlink
nho
ocb
Out-Clipboard
Out-Speech
Ping-Host
Pop-EnvironmentBlock
Push-EnvironmentBlock
ql
qs
QuoteList
QuoteString
Read-Archive
Receive-MSMQueue
Remove-AlternateDataStream
Remove-MountPoint
Remove-ReparsePoint
Resize-Bitmap
Resolve-ErrorRecord
Resolve-Host
Resolve-HResult
Resolve-WindowsError
rf
rver
rvhr
rvwer
Send-MSMQueue
Send-SmtpMail
Set-BitmapSize
Set-Clipboard
Set-FileTime
Set-ForegroundWindow
Set-LocationEx
Set-PathVariable
Set-Privilege
Set-ReadOnly
Set-VolumeLabel
Set-Writable
Show-Tree
skip
Skip-Object
sls
Split-String
sro
Start-TabExpansion
Stop-RemoteProcess
Stop-TerminalSession
su
swr
tail
Test-AlternateDataStream
Test-Assembly
Test-MSMQueue
Test-Script
Test-UserGroupMembership
Test-Xml
touch
Unblock-File
Write-BZip2
Write-Clipboard
Write-GZip
Write-Tar
Write-Zip