Group Policy Quick Tip - Remove Old Profiles

If you support computer labs or any other environment where lots of different people log into your computers daily, you've probably had to deal with user profiles that need to be deleted.  The good news is that there is a setting in Group Policy that take care of that for you.

In your GPO, go to Computer Configuration > Policies > Administrative Templates > System > User Profiles > Delete user profiles older than a specified number of days on system restart.  Click Enabled and set the number of days you want to wait before deleting old profiles.

There are two things you'll need to keep in mind:  First off, the deletion process happens on reboot.  Assuming you're patching regularly, this shouldn't be a problem unless you're dealing with a really high volume of logins.  Second, I've had a few situations where the user's profile was deleted, but the C:\Users\username folder stayed behind.  The next time the user logged into the computer, they got a new profile folder at C:\Users\username.domain. 

Configure a DNS Server on Windows Server 2008 R2 to Use OpenDNS

If you're running Active Directory (AD) and want to use OpenDNS, you would think that you just need to update your DHCP server to give out their DNS servers, right?  Wrong!  Clients in an Active Directory need to point to AD DNS servers.  Pointing the clients to third-party DNS can cause problems connecting to AD, Group Policy problems, and a number of other issues.

First, make sure that your clients are using AD DNS.  If you only have one Domain Controller (DC), that's the IP address you want to use.  Next, you'll need to make a configuration change to your DNS server.

In the Windows Server 2008 R2, click on the Start Menu, Administrative Tools, DNS.

This will open the DNS Manager.  In the DNS Manager, double-click on Forwarders. 

You should be taken to the Forwarders tab in the server's Properties.  Click the Edit... button. 

This will open the Edit Forwarders dialog.  Type in the IP addresses for OpenDNS:  208.67.222.222 and 208.67.220.220.

It should look something like this when you're done.  Click OK to close the dialog box. 

After clicking OK, you'll be taken back to the DNS server's Properties.  It should look something like the screenshot below.

By default, the Use root hints if no forwarders are available will be checked.  This option is a double-edged sword:  If you leave it checked, your DNS server may consult with the root hints servers to resolve a DNS entry and could bypass OpenDNS.  If you don't check it, you could have DNS timeouts that could result in DNS timeouts. 

So, what option do you choose?  Well, it really depends on how you're using OpenDNS.  If you're using OpenDNS as a filter in a situation where the filter always has to work like a school, uncheck the box.  If it is more important that clients always get timely DNS responses, check the box.

When you're done, click OK. 

Now that you've updated your Forwarders.  You'll need to clear the DNS cache.  To do this, right-click on Cached Lookups in the DNS Manager and choose Clear Cache. 

You're done!  If you have more than one Windows Server 2008 R2 DNS server, you'll need to perform this change on each one.  You'll also need to run an ipconfig.exe /flushdns on your clients if you want this to start using OpenDNS immediately.  Otherwise, you can wait and they'll move over on their own as items in the DNS cache expire.

Group Policy Quick Tip - Enable Backup of the TPM Password

If you're using BitLocker, you need to be backing up the TPM ownwer password.  By default, Windows does not back up this information when you encrypt a computer with BitLocker.  Should you need to make changes to the TPM device, you'll need this password. 
Where is the policy located?Computer Configuration > Policies > Administrative Templates > System > Trusted Platform Module Services > Turn on TPM backup to Active Directory Domain Services

How should the policy be configured?  Set the policy to Enabled and check Require TPM backup to AD DS. 

Where do I view the TPM password in Active Directory? 
In Active Directory Users and Comptuers, make sure that you've got the Advanced Features enabled.  Go to the View menu and make sure there is a checkbox by Advanced Features. 

In the Computer object Properties, click on the Attribute Editor tab. Scroll down to the msTPM-OwnerInformation attribute.  Click the Edit button to view the full value. 

How do I fix "The TPM is defending against dictionary attacks and is in a time-out period."?

If you try to manage BitLocker drive encryption on a computer that has had a user type in his/her PIN too many times, you may get this error: 

BitLocker Drive Encryption Error
Cannot run. 

The TPM is defending against dictionary attacks and is in a time-out period. 

To resolve this issue, run the Trusted Platform Management Module (TPM) Management console by running tpm.msc from the Run or Search box.  In the TPM Management console, click on Reset TPM Lockout.   

Click on I want to enter the owner password.  (You do have the TPM owner password, don't you?  If you're not backing it up to Active Directory, here's how you can do it!)

Type in the TPM owner password and click Reset TPM Lockout. 

 
You're done!



Microsoft Security Essentials 4.0 Beta Screenshot Tour

Earlier today, Microsoft released Microsoft Security Essentials 4.0 Beta (specifically, version 4.0.111.0) into the wild.  According to Microsoft Connect, version 4.0 of MSE includes enhanced protection through automatic malware remediation, enhanced performance, simplified UI, and a new and improved protection engine.

The install is pretty typical.  MSE is supported on Windows XP SP3, Windows Vista SP1 or SP2, and Windows 7 SP1.  The installer still looks very much like Forefront Endpoint Protection. 

Minor complaint:  Microsoft Security Essentials just warns you that you need to uninstall any other antivirus/antispyware software by giving you a link.  Seeing as just about every major antivirus software out there now registers itself with the Action Center; it would be nice if the software at least offered you the name of what you're running.  If they are really going for a simplified UI and a user experience that even the most non-technical person can handle, they would uninstall preexisting antivirus.  I'm guessing that there are probably some legal or other contractual reason why they aren't doing that. 

Before getting to the scan, it took less than 60 seconds to install the software.  The download of the definitions took a bit longer, but a lot of factors can influence that speed. 

The tray icon hasn't changed, but you might notice that the icons on the tabs above are now gone and some of the grapics have changed. 

A few options are missing now:  Default Actions is gone and Microsoft SpyNet is now Microsoft Active Protection Service. 

Real-time protection now only has one option:   

And Advanced...  Scan removable drives still not checked by default.