Applying User GPO Settings to a Computer

Today, I wanted to apply some Group Policy settings to users who login to certain computers in an OU. More specifically, I wanted to create a Scheduled Task for users who log into servers. I have found in my research that this is technically called Loopback Processing of Group Policy. Using this feature of Group Policies, you can apply a User based GPO to users who log into applied computers.

The first thing I did was build out my Group Policy like I wanted, just like a normal GPO. I created some Scheduled Tasks that would run as the user and would be created when they login.

Next, I turned on the setting that applied the GPO to Users as well. Navigate to Computer Configuration – Policies – Administrative Templates – System – Group Policy.

Screenshot of Group Policy GPO folder filtered

From within there, you will find the policy labeled: Configure user Group Policy loopback processing mode. Set that setting to enabled. Below is the Help Section of the group policy setting. Here is a link to the related Microsoft article. You may want to do more research before you turn this setting on, as I only tested it in my Home Lab. It could have more far-reaching changes that I am unaware of.

A screenshot of the GPO item Configure user Group Policy loopback processing mode

This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.

By default, the user’s Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer’s Group Policy Objects determine which set of Group Policy Objects applies.

If you enable this setting, you can select one of the following modes from the Mode box:

“Replace” indicates that the user settings defined in the computer’s Group Policy Objects replace the user settings normally applied to the user.

“Merge” indicates that the user settings defined in the computer’s Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer’s Group Policy Objects take precedence over the user’s normal settings.

If you disable this setting or do not configure it, the user’s Group Policy Objects determines which user settings apply.

Note: This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains.

ADFS WID Error: An exception occurred while enqueueing a message in the target queue

An exception occurred while enqueueing a message in the target queue. Error: 15517, State: 1. Cannot execute as the database principal because the principal "dbo" does not exist, this type of principal cannot be impersonated, or you do not have permission.

I had to do some troubleshooting on our ADFS (Active Directory Federation Service) servers today and I noticed the Event Viewer was completely full of hundreds of these messages every minute:

An exception occurred while enqueueing a message in the target queue. Error: 15517, State: 1. Cannot execute as the database principal because the principal “dbo” does not exist, this type of principal cannot be impersonated, or you do not have permission.

There was so many of these messages, I couldn’t see anything else and it was taking too long to filter. So I did a little bit of research on this and with my SQL DBA background, I was able to figure it out. My knowledge of ADFS is limited and this fix worked in our environment but every environment is different, so make sure it will work in your environment too before following this!

The issue is the fact that when ADFS tries to connect to the WID (Windows Internal Database) for ADFS, the user is tied to DBO for the DB. But when the DB Owner is no longer valid, you will get the impersonation error and will no longer be able to connect. Most likely (this is just my assumption for my environment) ADFS was setup a long time ago by a different user that no longer exists. Which then invalidated the owner of the DB. All that needs to be done is change the DB ownership – instantly without a reboot or service restart, it resolved the error messages in my environment and had to be done to each ADFS server.

Many other sites says to install the full SSMS, but this can require reboots and no updates pending, etc. That is actually not necessary if you use PowerShell. If you dont already have it installed for one reason or another, install PowerShell SQL commands:

Run PowerShell ISE (PowerShell will work, I just prefer ISE) AS ADMINISTRATOR. Run this command (be sure its cool with your security team you install this or follow any steps below):

Install-Module sqlserver

After installing the SQLserver module, if you want, you can verify if this is the issue by using the below command.

Invoke-SQLcmd -ServerInstance "np:\.\pipe\MICROSOFT##WID\tsql\query" -Query "select name,owner_sid from sys.databases"

After running the command, if SA does own the DBs (meaning this is NOT your issue) you should see all {1, 0, 0, 0…} in the owner_sid rows. If you see something other than {1, 0, 0, 0…} in all columns like the screenshot below, then you COULD be effected by this (its possible the owner is still a valid user)

To change the owner of the DBs, runs these two commands.

Invoke-SQLcmd -ServerInstance "np:\\.\pipe\MICROSOFT##WID\tsql\query" -Query "ALTER AUTHORIZATION ON DATABASE::[AdfsArtifactStore] TO [sa]"
Invoke-SQLcmd -ServerInstance "np:\\.\pipe\MICROSOFT##WID\tsql\query" -Query "ALTER AUTHORIZATION ON DATABASE::[AdfsConfiguration] TO [sa]"

After running those commands, you should no longer see any new events in the error log.

I hope this helps you! Please let me know if it does in the comments below!

Sophos XG Firewall Windows DHCP Server not getting IP Addresses

I recently setup Sophos XG Firewall in my Home Lab and setup vlans, firewall rules, DHCP relays to point to my Windows DHCP Server, etc. The whole 9 yards. After I had everything working, I decided to add in the rest of my VLANS and create relays so they all worked without a hitch. After doing this, something that should not have effected other already working VLANs, nothing was getting DHCP addresses. Not even ones that was working.

I spent MANY hours trying to figure out why. I tried changing all of my firewall rules to any-any, etc. Nothing was working. After looing in the logs, I noticed this:

Firewallmessageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1.21" out_interface="" src_mac="68:b5:99:6f:b5:fe" src_ip="10.124.216.41" src_country="" dst_ip="10.124.219.254" dst_country="" protocol="UDP" src_port="67" dst_port="67" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

I was getting a block by the firewall rule 0 on Appliance Access as Denied. But why? A – it shouldn’t be a firewall rule blocking it because I put in an Any-Any rule. I tried changing everything. But it came down to one.. simple.. thing.. Here is my setup so you can understand the issue.

The Setup

  • VLAN 110 – 192.168.0.0/24 – Networking equipment
    • Sophos XG Firewall – IP 192.168.0.5
  • VLAN 111 – 192.168.1.0/24 – Servers
    • Windows AD/DNS/DHCP Server – 192.168.1.10
  • VLAN 112 – 192.168.2.0/24 Clients (No IP address)
    • Laptop
    • Cellphone

In Sophos, Windows DHCP, I setup DHCP subnets for all three vlans. Then in Sophos, I setup a DHCP relay just the Clients VLAN.

It worked! I was getting IP addresses assigned to the Clients.

The Issue

Then I decided to setup VLANs for every subnet and made quite a few other changes to get it to that perfect lab I was hoping for. I looked up and noticed all my Chromecasts was saying they couldn’t get an IP. I checked and sure enough, it was no longer dishing out IP addresses.

The Resolution

After much trial and error, I found that the fact I put a DHCP relay on the subnet the DHCP server was on, it was causing all the DHCP requests to fail.

Someone may have a better understanding of it and can explain better in the comments, but what my assumption is, when the DHCP request goes out, it gets blasted to the entire vlan to find a DHCP server by blasting out to port 67/68 UDP in search of a DHCP server. The gateway at 192.168.2.1 forwards this to the 192.168.1.0/24 vlan and it receives the blast on that subnet for the response, and blasts that back out to the requesting vlan.

If you put in a DHCP relay on the same subet as the DHCP server, then when it tries to “blast” the response back, the gateway takes that requests and tries to re-blast it in the same subnet. This causes a malformed loop and causes the request to fail. Thus removing the DHCP relay on the VLAN the DHCP server is in should fix this.

Please let me know if you have a better understanding of the cause or if this helps you!

Creating Rooms in Office 365 Exchange Online and Add To Rooms List

The title above is quite long, but exactly to the point – I found myself unsure how to add a resource room in Office 365 for Exchange online because it was set up by previous employees and hadn’t been done since then. Then I needed to add it to the Rooms List. I will walk you through my process of how I created a room and added it to a room list. This was also done in a hybrid environment (Exchange Online and Exchange 2013).

Create User Account

The first step is to create a regular AD user account. I created it in Active Directory User and Computers. You will not need to know the password, so set it to something crazy long and forget it. Be sure to set the password to never expires. And after all of this is said and done, we will disable the account for security.

I filled out Display Name, Telephone Number and Password Never Expires. Continue reading “Creating Rooms in Office 365 Exchange Online and Add To Rooms List”

Nothing happens when Compacting VHD in Hyper-V

For the past couple days now, I have been trying to compact a couple virtual machine hard drives VHDX via Hyper-V Manager. One of them worked without a hitch, however the other one I would go to Hyper-V manager, click edit disk and follow the normal procedures, but when I clicked finish, the box would just go away without it ever actually changing the size. I found a fix around this using a one line PowerShell command!

Continue reading “Nothing happens when Compacting VHD in Hyper-V”