WHAT IS GPO (Group Policy Object) Create and Apply a GPO?

You can control almost everything of active directory users using group policy object, you can manage different items like user desktop experience including theme/wallpaper, installation printers, security configurations like password complexity, redirect folders, you can control the installation of software with GPO. Every windows OS has a build-in group policy object which is known as default GPO or local GPO. But you can implement the group policy object in active directory on Site, domain, OU and Sub-OU. How to create and link a GPO: There are two ways to create a GPO for active directory objects.

  1. One ways to create a group policy object is right click on domain or OU or where you want to create a GPO from group policy management in server 2008 R2. In new dialog box, type the name for new GPO and click OK.

create a GPO for domain

For customization right click on newly created GPO and click edit. To implement the GPO you need to enforce GPO as well. edit a GPO in server 2008 R22. The second way to create a new GPO is to create a GPO from group policy object under the feature tab right click and type name for this GPO in new dialog box.

group policy object

Once you have completed the setting/configuration for this new GPO, you can either drag this GPO to your required node where you want to apply GPO or right click on OU or domain where you want to enforce this GPO and click “link an existing GPO”. Select the GPO for your OU from list and click ok.

link to exitiing GPO


Windows Server 2008 Backup and Recovery with Server Backup Feature

You can perform the backup and recovery on windows server 2008 using server backup feature which you can install from windows features. Here I will show you that how you can schedule a backup and then how to recover from this backup using windows server 2008 backup and recovery feature. But you should keep in mind that windows server backup and recovery feature is not a enterprise backup solution because of many limitation. You can backup of your system volume including system state, boot, AD DS database and AD DS logs using server backup feature.

Schedule a backup in server 2008

For scheduling a backup you should have an administrative account, open the server manager and right on windows server backup and click on schedule a backupbackup once. starting windows server 2008 backup A wizard will start, from backup configuration option you can choose the type of backup like full server backup, if you choose the full server backup then you are not able to select the same drive/volume where server is installed. From custom option you select the optional files and folders from your computer. Since am I giving to a demo therefore I am choosing the custom option. select bachup configuration And then choose the custom files and folders for backup by add items button. select item for backup Set the schedule time. backup time Next you need to set the destination type which may be a local drive or remote shared folder. I am choosing the remote shared folder and providing it my shard folder path. remote shared folder path And then finish the wizard.

Recover from a backup in server 2008:

You can recover from a already schedule backup by right clicking on windows server backup and choose recover, wizard will asked you for backup store location which in my case is a remote shared folder therefore I will chose second option and click on next. recovery on server 2008 Then it will show you the backup points that are created before on complete of successful backup. Choose the require point and click on next. 2 Select the items that you want to recover from that backup. backup files for recovery Choose where you want to restored these backup. 4 Then it will take some time to recover your files depending upon your backup size.


Recover the Archive Key in CA | Recover Loss certificates

I will show you how to recover the certificate using recovery agents. But make sure you have enabled certificate archiving otherwise you are not able to recover the certificates. You can learn more about Key Archiving in Certificate services.

You can convert a certificate into an importable form using recovery agent and then you can import that certificate into user machine where you loss certificate. First we will see how we can convert a certificate into .PFX file which can be imported to any user.

Create a .PFX certificate using recovery agent:

Login into user machine with recovery agent user (how to create recovery agent), open MMC and add the certificate snap-in from add/remove snap-in.  Open the certificate’s properties by double clicking on certificate which you want to export.

certificate properties

Click on copy to file, a wizard will start click on next and select the option “yes, export the private key”.

export the private key

And export the certificate as personal information exchange (PFX). Set the password and select the location where you want to save this file. I have define the path for this file as \CAC$hr-cert.pfx. where CA is name of certificate server.

export as PFX certificate

Now login into CA server with recovery agent and go to certificate MMC and on personal folder right click and import the certificate here that you have exported in above step from \CAC$hr-cert.pfx.

import certificate on CA

Provide password and also select the exportable key option.


Now open the administrative command prompt and run the following command which will create a BLOB (Create Binary large object) file for user which loss the certificate. In my case this user is HR@w7cloud.com.

and then run the following command which will create a PFX file from this BLOB (Create Binary large object) file.

It will ask you for password, provide the password and PFX file will be created at \CAC$ hr-certificate.pfx which you can import.

 Import certificate with PFX FILE:

Now login into client system with HR user as I have export the key for this user and simply double click on hr-certificate.pfx. After completion of wizard certificate will successfully added to user, you can verify this from certificate MMC console.

Auto enrollment of computer certificate

In this article I shall show you how to auto enroll the computer certificates for active directory computers, this method is almost similar to auto enrollment of user certificate but you need a different group policy for computer certificates. Also i am using the same three systems as I was using in previous articles that consists of:

Domain controller: W7cloud.com

CA server: CA.w7cloud.com have certificate authority role installed on it, you can learn more about installing certificate authority role on server 2008.

Test Client: PC3.w7cloud.com

You can issue the computer certificate by creating a duplicate certificate from certificate templates or you find the computer certificate by default in certificate templates (under your domain tab in CA role) on your CA server and you can use this certificate as it is. Here am using the default computer certificate instead of creating a duplicate template. We just need to define a Group policy for auto enrollment.

GPO for computer certificate

Create a Group Policy for auto enrollment of computer certificate and edit the policy for auto enrollment. From computer configurationpoliciessecurity settingpublic key policies open the properties of “certificate Services Client” and enable it for auto enrollment.

Certificate services client enabling autoenrollment

Then from automatic certificate request under computer configurationpoliciessecurity settingpublic key policies request the computer certificate by automatic certificate request. This process has a small wizard and where you just need to select the computer certificate for auto enrollment.

Automatic Cerificatge Request

For testing you can login on to your domain controller, am using PC3.w7cloud.com. Open MMC console and add the certificate snap-in and select the computer account from given option. You will find the computer certificate there under the personal folder.

Computer certificate on MMC

Tips: For quick enrollment you can try the gpupdate command in administrative command prompt and also restart your client system if you needed.


Auto Enrollment of User Certificate in Active Directory

In Auto enrollment certificates are distributed automatically by certificate authority and user even not being aware that certificate enrollment is taking place. Normally certificates issued to computers and services are done by auto enrollment.

Here I will show you how you can auto enroll the user certificate using certificate authority in active directory. You need the following step to accomplish this task:

  • Create and configure the Duplicate Template
  • Assign read and write and Auto enroll Permissions
  • Publish the Certificate
  • Create a Group Policy for auto enrollment

For better understanding I want to share my network topology with you, I am using three systems for this task.

  1. Domain controller: w7cloud.com
  2. Certificate Authority Server: (ca.w7cloud.com) AD certificate services installed on it. You can learn more about installing Certificate services.
  3. W7-client:  (w7-client.w7cloud.com) where we will test auto enrollment of the user certificate.

 Create and configure the Duplicate Template:

Go to certificate templates and create a duplicate template for “user” certificate by right clicking on user certificate, select windows server 2008 (as my clients are using windows 7) and give some name to this certificate. Creating Duplicate Template is also define in Key Archiving in Certificate services you can visit this for reference.

Once you create a duplicate certificate it will ask you for some setting and configuration, you can choose the setting according to you requirements but following are some important setting that you should keep in mind while creating duplicate user certificate template.

User Template properties

For example select the purpose of user certificate, I choosing “signature and encryption”.

User Template properties

From cryptography tab you can select the encryption type according to your choice. I am using RSA with 2048bit key size.

Be careful while selecting different checkboxes from “Subject Name “tab if you don’t specify the email for users then it is better that you don’t select the email checkbox otherwise this client or user may not receive the certificate.

Subject name certificate3

Other important thing for user template is to assign the “enroll” and “Autoenroll” right to domain users from security tab so that domain user can get certificates.

right assignment

Click Apply and ok and you will find your certificate in certificate template under your CA server.

Publish the Certificate

To add this certificate to active directory users, right click on certificate template under your domain and click on new certificate template to issue. And select your user certificate from certificate list.

 Issue certificate to active directory

Right Click on domainproperties and then from “Recovery Agent” tab select archive this key and add your certificate from add button.

Archive the user key

 Create a Group Policy:

Now I have created a group policy for auto enrollment of user certificate for active directory user. You can create a group policy by right click on your required domain from features/group policy management and choose the first option “Create a DPO in this domain and link it here”. You can learn how to add/create Group Policy in Active Directory

Create a group policy for autoenrollment in active directory

Choose a name for GPO and click on OK. Now right click on newly create Group Policy and click on Edit for defining your own setting.

Edit GPO

From user configurationpolicieswindows settingssecurity settingsPublic key policies enable “Certificate Services Client-Auto Enrollment”.

Enable Autoenrollment for user certificate

Now for test login into your client using a domain user and open MMC and add the snap-in from file menu and add the certificate snap-in and click OK. There in personal/certificate folder you will find your user certificate.

user certificate on client MMC

Note: You may not find the certificate at your first login into client machine, you can try following steps for troubleshooting:

  • Restart client computer
  • Run the command GPUPDATE and certutil –pulse in administrator command prompt.