How to See Which Group Policies are Applied to Your PC and User Account

We have shown you a lot of tips and tricks here at How-To Geek that require the modification of a Group Policy Object. Over time you may have wondered which Group Policy settings you have edited–so here’s how to figure that out.
Note: This will work on Windows 7 Professional and higher, as well as the Windows 8 Release Preview.

Through a GUI

The easiest way to see which Group Policy settings have been applied to your machine or user account is to use the Resultant Set of Policy Management Console. To open it, press the Win + R keyboard combination to bring up a run box.

Type rsop.msc into the run box and then hit enter.

You will see a pop-up dialog for the small period of time it take Windows to query your system.

Once the console opens you will be able to see which settings have been applied to your PC.
Note: Only settings that have been applied to your machine and user account will show up.

Through the Command Line

You could also use the command line if you prefer it. When using the command line, it should be noted that you have to specify the scope of the results. To find all the policies that are applied to your user account, you would use the following command:

gpresult /Scope User /v

Then if you scroll down, you will see the the Resultant Set Of Policies for User section.

If you are looking for all policies applied to your Computer, all you need to do is change the scope:

gpresult /Scope Computer /v

If you scroll down, now you will now see that there is a Resultant Set Of Policies for Computer section.

 

WhatsApp – How To Install On An iPad With iOS 8

After having been released last month, Apple’s iOS 8 has become most 
iPhone and iPad users’ newest and most technologically advanced operating system.

Though using WhatsApp was probably the easiest task with the last version
of iOS, this has now become a challenge for those who are not familiarized
with the many changes brought to the table by Apple. Many iPad users
who use iOS 8 are unable to install WhatsApp to their devices, especially
 because certain errors and issues show up throughout the process.

While those who have jailbroken other Apple devices in the past
 might attempt to use this technique again for this particular situation,
 there is a much simpler way to successfully install this app to your
 iOS 8-operated iPad device. Follow our step-by-step guide below to find out how.

Step 1. Download and install iFunBox to your PC or laptop.
For this process to work, you will have to download the version of iFunBox
that works for your computer’s operating system (i.e. Windows XP,
Windows 8, Mac OS X 10.10 Yosemite beta).

Step 2. Install WhatsApp as normally to your iPhone via iTunes. However,
do not install WhatsApp 2.11.11, and look for the older version 2.11.8.ipa,
as only this one will be working with iOS 8. Once you are done installing the app,
launch iFunBox on your PC or laptop.

Step 3. Connect your iPhone to either your computer or laptop using the cable.
If iTunes is not closed, then make sure to close it.

Step 4. Create a new folder on your PC, and name it as desired – i.e. “WhatsApp.”

Step 5. In your iFunBox window, look for “User Applications” on the left side.
Select WhatsApp, then make double click on it.

Step 6. At this point, you will be prompted to a folder that contains all files and folders
 of WhatsApp on your iPhone. Select all of them, then click on “Copy to Mac,”
and choose the folder you created at step 4 as the destination.

Step 7. Disconnect your iPhone from your computer.

Step 8. Now connect your iPad to your computer using the cable.
Make sure that iTunes is closed; if it starts when you connect the device to your PC, close it.

Step 9. Go to your iFunBox window, and press “Install App.”
Select WhatsApp 2.8.7.ipa, and click “Open.”

Step 10. Once the application is installed, go to “User Applications,” and
double click on the WhatsApp folder.

Step 11. Select all files, then click “Copy from Mac”.
When a new window opens, go to the folder you created at step 4,
select the files you copied there at step 6, and click “Open.”
The files from the folder on your PC will be transferred to the
 WhatsApp folder on your iPad.

Step 12. Disconnect your iPad from your PC.

Step 13. Run WhatsApp on your iPad.

The process is not complicated, and is completely safe, unlike jailbreaking,
which can make your iOS 8 iPad inoperable. Keep in mind that you
won’t be able to run WhatsApp on both your iPhone and iPad simultaneously,
so you will have to close the app on one device when you want to switch to the other.
 For safety purposes, it is better to deactivate “Background App Refresh” on both devices,
so go to “Settings,” tap on “WhatsApp,” and turn off “Background App Refresh.”

Ten Things We Know About Windows 10

After months of speculation and plenty of leaks, Microsoft has given the world its first official look at the next version of Windows. The biggest surprise is its name - Windows 10. While some of the new features are predictable, others come as surprises. It's clear that Microsoft has gone back to the drawing board after enduring endless criticism of its bold Windows 8 strategy and redesign. The reinvented Windows tries to combine the best of both worlds.

1. Windows 10 will be designed to appeal to office workers 
After years of dealing with complaints that Windows 8 was too different to roll out in large-scale corporate environments and would require massive resources to be spent on retraining users, Microsoft has decided to appeal to that crowd by incorporating  familiar elements and hiding features that won't be applicable. The new Start menu is a prime example of this. 

2. ...and corporate IT managers
On the management side, Windows 10 promises better security, easier manageability, and improved capabilities for dealing with today's security threats. There will also be improved methods of installing and dealing with volume licenses, making the upgrade process easier. Custom app stores will help corporate environments to deal with software deployments and permissions. There is still a huge install base of Windows XP machines in office environments which work just fine, but Microsoft's new features might be tempting enough for managers to finally decide that an upgrade is worthwhile.

3. Windows 10 will scale from small smartphones to giant data centres
The Windows 10 name will apply to future versions of Windows Phone as well as Windows on tablets, desktop PCs and hybrid portable devices. The same experience will carry over to the Xbox One console and potentially other devices as well. Users will see an interface suited to their device type, screen size and input methods, so for example, the full-screen Start UI will not necessarily be a part of the desktop usage experience, but will appear for touch-first tablet users. There will even be a way for users to switch between the two modes, especially if they use tablets with detachable or foldable keyboards.

4. The new Start menu will combine Windows 7's usability with Windows 8's tiles
While a lot might change between now and the final release of Windows 10, previews indicate a two-column Start menu with old-style icons for pinned or recent programs on the left, and live tiles on the right displaying updates and information. The tiles will be customisable, though at their smallest size they will be functionally identical to pinned shortcuts.5. Modern apps will run in windows on the desktop
Desktop users will be able to run Modern apps (downloaded from the Windows store) on the desktop just like other apps. They will be resizeable and can be pinned to the task bar. Important functions will be accessible through a context menu.

6. Virtual Desktops are finally coming to Windows
A mainstay of OS X and most Linux distributions for years, virtual desktops have remained a niche feature on Windows. In another move aimed at appeasing hardcore desktop users, virtual desktops are now baked right in. A new Task View will let you see an overview of all running apps and arrange them between desktops. 

7. Snap has also been improved
You can now quickly tile four apps at once on the Windows 10 desktop just by dragging them to the corners of your screen. You'll see suggestions for filling up your screen so that you don't have to deal with overlapping windows. Desktop users with large monitors will rejoice. 

8. Search and power user features will be improved
The new search feature combines local and Web results. You can begin searching just by typing when the Start menu is open, which means you can continue to hit the Start button and just start typing exactly like in Windows 8. Microsoft has another treat for power users - finally, you can use a simple Ctrl+V short cut  to paste text into the Command Prompt. 

9. The Charms bar isn't going anywhere
Just like with the Start screen, Microsoft isn't completely removing all vestiges of Windows 8. The Charms bar remains, though most probably only visible to users of touch-first devices. It will be improved, and those Windows 8 users who are familiar with it can continue to use it.

10. There's much more to come
Microsoft has teased that there are plenty of good reasons for its decision to skip a Windows 9 and jump two version numbers ahead. We hope to see many more improvements and refinements of the concepts that have been demonstrated so far. With public beta releases not too far away, it's going to be an eventful year leading up to the final release of Windows 10.

Windows 10 Unveiled; Microsoft Skips Windows 9 to Emphasise Advances

The next version of Microsoft's flagship operating system will be called Windows 10, as the company skips version 9 to emphasize advances it is making toward a world centred around mobile devices and Internet services.

The current version, Windows 8, has been widely derided for forcing radical behavioural changes. Microsoft is restoring some of the more traditional ways of doing things and promises that Windows 10 will be familiar for users regardless of which version of Windows they are now using.

For instance, the start menu in Windows 10 will appear similar to what's found in Windows 7, but tiles opening to the side will resemble what's found in Windows 8.

Joe Belfiore, a Microsoft executive who oversees Windows design and evolution, said Windows 10 will offer "the familiarity of Windows 7 with some of the benefits that exist in Windows 8" to help business users make the transition.

Microsoft offered a glimpse of its vision for Windows at a San Francisco event Tuesday aimed at business customers. Although the new software won't be formally released until next year, analysts already consider its success crucial for Microsoft and new CEO Satya Nadella.

The new software represents an attempt to step back from the radical redesign that alienated many PC users when Windows 8 was introduced two years ago. But it's not a complete retreat from Microsoft's goal of bridging the gap between PCs and mobile devices: It still has touch-screen functions and strives to create a familiar experience for Windows users who switch between desktop computers, tablets and smartphones.

Microsoft executive Terry Myerson said Windows 10 will be "a whole new generation" and, as expected, will work across a variety of devices - from phones to gaming consoles.

Microsoft currently has three main systems - Windows 8 for traditional computers and tablets, Windows Phone 8 for cellphones and Xbox for its gaming console. By unifying the underlying systems, software developers will be able to create apps for the various devices more easily. Consumers will also be able to switch devices more easily and avoid having to buy the same apps multiple times.

How to Detect SSL flaws in Mobile Apps

The Secure Sockets Layer protocol (SSL) is a foundational technology on the modern Internet, enabling data in transit to be encrypted and travel securely. Yet according to security researchers Tony Trummer and Tushar Dalvi, many popular mobile apps do not properly implement SSL.

Trummer and Tushar, both security researchers working at LinkedIn, detailed their finding in a session at the Defcon security conference over the weekend. The research was not sponsored or endorsed by their employer and was done on their own time.

In many of the mobile apps they tested across both iOS and Android, the two researchers found that app developers had disabled certificate authority (CA) validation. This validation is a best practice to ensure that an SSL certificate is authentic and valid.

Checking for CAs

Trummer and Tushar suggested a simple test that can be used to see if a CA is being contacted. They recommend that researchers install BurpSuite software, a Web application security testing toolkit that has both free and paid editions. Burpsuite can be used as a proxy for Web traffic and can generate a CA signed per-host certificate.

The end-user device with the mobile app should be configured to point to the proxy. If secure SSL traffic from the device is still able to get through, that is an indication that CA validation is not properly working.

Checking for Host names

With SSL it’s also important that the name on the certificate matches the name of the site being contacted. To test that proper hostname checking is in place, get a valid certificate for a domain different than the target domain being tested.

Trummer and Tushar suggest that BurpSuite then be configured to use the test certificate. If secure SSL traffic is still able to flow through from the mobile app, then there is a potential problem.

Trummer noted that there are also apps that send sensitive information like credit card data without any SSL or encryption at all. Mobile app developers need to be trained on proper SSL security implementation, he said. He added that vendors should have policies in place to make sure data in transit is secured.

Trummer suggested that Android developers be especially careful with TrustManager, SSLSocket and HostName Verifier attributes in mobile application code.

For iOS developers, the areas that need to be emphasized and scrutinized are the _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_, SetAllowsAnyHTTPSCertificate and kCFStreamSSLAllowsAnyRoot functions in mobile app code.

How to Detect SSL flaws in Mobile Apps

The Secure Sockets Layer protocol (SSL) is a foundational technology on the modern Internet, enabling data in transit to be encrypted and travel securely. Yet according to security researchers Tony Trummer and Tushar Dalvi, many popular mobile apps do not properly implement SSL.

Trummer and Tushar, both security researchers working at LinkedIn, detailed their finding in a session at the Defcon security conference over the weekend. The research was not sponsored or endorsed by their employer and was done on their own time.

In many of the mobile apps they tested across both iOS and Android, the two researchers found that app developers had disabled certificate authority (CA) validation. This validation is a best practice to ensure that an SSL certificate is authentic and valid.

Checking for CAs

Trummer and Tushar suggested a simple test that can be used to see if a CA is being contacted. They recommend that researchers install BurpSuite software, a Web application security testing toolkit that has both free and paid editions. Burpsuite can be used as a proxy for Web traffic and can generate a CA signed per-host certificate.

The end-user device with the mobile app should be configured to point to the proxy. If secure SSL traffic from the device is still able to get through, that is an indication that CA validation is not properly working.

Checking for Host names

With SSL it’s also important that the name on the certificate matches the name of the site being contacted. To test that proper hostname checking is in place, get a valid certificate for a domain different than the target domain being tested.

Trummer and Tushar suggest that BurpSuite then be configured to use the test certificate. If secure SSL traffic is still able to flow through from the mobile app, then there is a potential problem.

Trummer noted that there are also apps that send sensitive information like credit card data without any SSL or encryption at all. Mobile app developers need to be trained on proper SSL security implementation, he said. He added that vendors should have policies in place to make sure data in transit is secured.

Trummer suggested that Android developers be especially careful with TrustManager, SSLSocket and HostName Verifier attributes in mobile application code.

For iOS developers, the areas that need to be emphasized and scrutinized are the _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_, SetAllowsAnyHTTPSCertificate and kCFStreamSSLAllowsAnyRoot functions in mobile app code.

Google catches Indian Government Agency with Fake Digital Certificates

Google has identified and blocked unauthorized digital certificates for a number of its domains issued by the National Informatics Centre (NIC) of India, a unit of India’s Ministry of Communications and Information Technology.

National Informatics Center (NIC) holds several intermediate Certification Authority (CA) certs trusted by the Indian government’s top CA, Indian Controller of Certifying Authorities (India CCA), which are included in the Microsoft Root Store and so are trusted by a large number of applications running on Windows, including Internet Explorer and Chrome.

The use of rogue digital certificates could result in a potentially serious security and privacy threat that could allow an attacker to spy on an encrypted communication between a user’s device and a secure HTTPS website, which is thought to be secure.

Google became aware of the fake certificates last Wednesday on July 2 and within 24 hours, the Indian Controller of Certifying Authorities (India CCA) revoked all the NIC intermediate certificates and also issued a CRLSet to block the fraudulent certificates in Chrome. CRLSets enable Chrome to block certificates in an emergency.

The search engine giant believes that no other root stores include the Indian CCA certificates, which means that Chrome on any other operating systems, Chrome OS, Android, iOS and OS X were not affected.

“Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misused certificates for other sites may exist,” saidGoogle security engineer Adam Langley.

Langley added that “Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.”

It’s the second high-profile incident of a government agency caught issuing fake SSL certificates since December, when Google revoked trust for a digital certificate for several of its domains, mistakenly signed by a French government intermediate certificate authority.

Google has taken many measures to advance the security of its certificates, as SSL certificates are still one of the core elements of online security and still, since hundreds of entities issue certificates, it makes the company difficult to identify fake certs that aren’t following proper procedures.

One such measure is Google’s recently launched Certificate Transparency project, which provides an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. 

DigiCert was one of the first Certificate Authority’s to implement Certificate Transparency after working with Google for a year to pilot the project.

Google also upgraded its SSL certificates from 1024-bit to 2048-bit RSA to make them more secure and unbreakable. Because longer key length would make it even more difficult for a cyber criminal to break the SSL connections that secure your emails, banking transactions and many more.

How to Watch Netflix in India or any other country

6 amazing things you didn't know about your computer

.

It's a ritual across the globe: somewhere between sticking the kettle on and complaining about last night's match, you'll probably hit the button on your ageing company PC and wait while it slowly thinks about turning on. Rather than take it for granted, though, it's worth taking a couple minutes to realize a few of the things that your poor robot slave does without you ever knowing

1. Bits, Bytes, and Size

Next time you complain about the pitiful memory capacity of your old 8GB iPod Touch, it's worth remember what makes up eight whole gigabytes. Computer science grads will know that in every gigabyte, there's 1024 megabytes; 1024 kilobytes in a megabyte, and 1024 bytes in a kilobyte. Breaking it down to the lowest level, you've got 8 bits in a byte.

Why does that matter? Because on a flash drive, each bit of data is made up of eight separate floating gates, each comprising two physical transistors, which can basically record themselves as either a '1' or a '0'. (Want to be impressed ever further? Each floating gate actually relies on quantum mechanics to work.) That means that an 8GB iPod Touch – the one you were laughing at a minute ago for being puny – has, according to my back-of-the-napkin maths, 549,755,813,888 individual gates arrayed inside that svelte aluminium body. Mighty clever engineering indeed.

2. Everything you see or hear on the internet is actually on your computer

All your computer-whizz friends probably delight in telling you how having a 'library' of videos is so 2008, that no-one torrents any more, it's all Netflix and iPlayer and 'The Cloud', whatever that means. But, you might want to remind them: every time you stream a video or the week's latest Top 40 off the web, it's actually, technically playing off your computer.

See, every internet media file has to make a local copy of itself on your machine, first. Ever wondered what that white buffering bar means on YouTube or Netflix? It's the amount of video that's been copied to the local cache, a.k.a. the amount you can still watch if your internet decides to up and die.

3. The distance data travels

A quick experiment for you: click this link, which should take you to Wikipedia. With one click, you've just fetched a bunch of data from servers in Ashburn, Virginia, about 6000km away. Your request has travelled from your computer, through a local Wi-Fi router or a modem, up to a local data centre, from there onwards (under the Atlantic Ocean, if you're in the UK), all the way to Virginia, and back again – in around 0.1 of a second, depending on how good your internet connection is.

By comparison, your body takes around 0.15 of a second for a signal to pass from your fingers, up your spinal cord to the brain, and back down again.

4. Counting Starts at Zero

At a base level, every computer's just a really big, complicated calculator. But thanks to the way its intrinsic circuitry works – with lots of little logic gates that are either 'on' or 'off' – every action that takes place at a base level is happening in binary, where things are either a 1 or a 0, with no shades of grey in between.

This actually translates up to a neat bit of programming trivia – in the computer science world, all counting (with the rather notable exceptions of Fortran and Visual Basic) starts at zero, not one.

It actually makes a lot more sense – ever thought about why the 20th century refers to the 1900s? It's because when historians decided on the dating system, they weren't clever enough to call the very first century (0-99AD) the 0th century. If they had, we'd probably have far fewer confused school children the world over.

5. The work that goes into a Ctrl+C, Ctrl+V

One rather under-appreciated fact about solid state drives (SSDs), regarded as the gold standard for fast, reliable storage, is the amount of copying they have to do. When you want to copy some data from one bit to another, it's not just a matter of shuffling the data from one part of the drive to another.

Because of the complicated way a SSD works, over-writing a block of old data with some shiny new data isn't as simple as just writing the new stuff in with a bigger, thicker Sharpie. Rather, the storage drive has to do some complicated shuffling around.


In practice, this can mean that writing a tiny 4KB file can require the drive to read 2MB (that's thousands of times more data that the 4KB file you're trying to write), store that temporarily, erase a whole tonne of blocks, then re-write all the data. It's rather labour-intensive, so think before you juggle your files around next time.

6. Code isn't as clean as you think

The majority of us put faith in bits of technology you don't quite understand – be it committing your life to a 747, or your dirty pics to Snapchat's auto-delete. When you do you generally tend to assume that the code's been scrupulously examined by teams of caffeine-fuelled programmers, with most of the niggling little bugs found and nixed.

The truth seems to be quite the opposite. One Quora user pointed out that buried within the source code for Java, one of the internet's fundamental bits of code, is this gem:

/**
* This method returns the Nth bit that is set in the bit array. The
* current position is cached in the following 4 variables and will
* help speed up a sequence of next() call in an index iterator. This
* method is a mess, but it is fast and it works, so don't f*ck with it.
*/
private int _pos = Integer.MAX_VALUE;
It just goes to show that even programmers rush things to get home for the next installment of Game of Thrones sometimes.

How to Use Active Directory

Active directories enable organizations to arrange their computer data and network and store and process information in a centralized location. This is because Active Directory is a highly scalable directory service that enables efficient management of network resources. The technology on which Active Directory is based on is fairly advanced and requires a lot of expertise to manage entire directory related tasks. Therefore, to understand how to use Active Directory, we will first start with an overview of this directory service.

The Active Directory technology is based on standard Internet protocols that help you design the exact structure of your network. It uses the DNS (Domain Name System) to organize the groups of computers into domains, which are further organized into hierarchical structures. DNS is an integral part of the Active Directory. It must be first configured in the network even before installing the Active Directory. Once DNS is configured, the Active Directory can be installed by running the Active Directory Installation Wizard. Following is the procedure:

Click Start, click Run, type dcpromo in the Open field and then click OK

When no domain exists, the wizard helps you create a new domain to configure the Active Directory. Upon the completion of the installation process, you will find that the AD is divided into a logical structure and a physical structure with a virtual partition. The logical structure comprises the domains, domain trees, forests and organization units, while the physical structure consists of sites and subnets.

The logical structures help you arrange the active directory objects and manage their network accounts along with the shared resources. The physical structures on the other hand enable you to map the physical network structure of the organization, facilitate network communication and set physical boundaries.

The Active Directory domain is a set of computers sharing common resources from the AD database, having a unique domain name and its own set of security policies and trust relationships with other network domains. Within a domain's database information, objects like user accounts, groups, computer accounts, folders, printers and shared resources are stored. A forest comprises of one or multiple domains which share common directory data.

Organizational units are logical containers or subgroups within a domain which represent the functional structure of an organization. Organizational units (OUs) are used to arrange the AD objects into groups, assign group policies to them and delegate authority to the domain resources.

Since Active Directory is the foundation of Windows distributed networks, administrators can use it for locating objects such as users, security policies, distributed components, shared resources, etc. in a network domain. Windows Active Directory is accessed through WMI by creating set of references to every object and class contained in the AD data store. By accessing the directory through WMI, administrators create WMI-enabled applications to access the Active Directory information. These interfaces in turn aids administrators to create new instances, retrieve classes and instances, modify or delete instances, query Active Directory and enumerate classes and instances.

Windows 2008 Active Directory

Over the last few years, Windows 2008 has replaced the ageing Windows Server 2003 and Windows Server 2003 R2 domain controllers. However, performing any task where one has to upgrade from the earlier versions of the Windows Server DC to Windows Server 2008 without causing any disturbance in Active Directory is definitely a big task and challenge as well. The shift requires selecting the best possible method of migration and other important steps involved in the process.

Let us first look at the options available for migration from Windows 2003/ 2003 R2 Active Directory service to Windows 2008 Active Directory.

In-place Upgrading: Both Windows server 2003 and 2003 R2 can be upgraded in-place to Windows 2008 Server. For in-place upgrading, administrators are required to run adrep.exe before initiating the up gradation process in the domain controllers. Adrep.exe is executed to prepare the Active Directory environment before introducing Windows Server 2008 domain controller. This Microsoft utility is run with the following commands in Windows 2008 Active Directory:

'ADPREP /FORESTPREP' (For Schema Master)

1. Executed on domain controller Schema Master FSMO
2. Updates the AD forest
3. Does not change the "Partial Attribute Set"

'ADPREP /DOMAINPREP' (For Infrastructure Master)

1. Executed on Infrastructure Master FSMO
2. Updates the AD domain

ADPREP /DOMAINPREP /GPPREP' (For Infrastructure Master)

1. Executed on the Infrastructure Master FSMO
2. Updates AD domain and the SYSVOL

ADPREP /RODCPREP (For Read only domain controllers- optional)

1. Executed on the Domain Naming Master FSMO
2. Updates permissions on application partitions for an RODC to be able to participate in their replication
3. Only executed when upgrading from W2K3 AD

Restructuring: In this method, administrators are required to restructure the entire Active Directory structure. For this all the resources have to be moved from one domain to another. Active Directory Migration Tool (ADMT) is the best utility that is used for restructuring the Windows 2008 Active Directory environment.

Transitioning: With transitioning, it is possible to add the Windows 2008 domain controllers to the existing Active Directory environment. In this migration process, the first step must be to move the FSMO (Flexible Single Master Operations) roles. Next, the previous domain controller must be demoted to remove it from the new domain on Windows Server 2008.

Of all the three methods, transitioning to Windows Active Directory 2008 is best since restructuring means creating the entire directory from the scratch and with in-place upgrading administrators are stuck with limited upgrade paths. Whereas transition procedure allows administrators to retain the existing Active Directory layouts, schema, objects, contents and group policies.

Active Directory Cleanup

Over time, user and computer accounts become obsolete or redundant which raises the need to eliminate them. The Active Directory Cleanup Wizard is a utility which is developed to eliminate such redundant or duplicate object accounts by merging them. Duplicate user and computer objects usually result when multiple directories are migrated to a new domain or the Active Directory is upgraded to a new server.

The Active Directory Cleanup Wizard, searches for such redundant objects or accounts and merges them. All the accounts, their attributes and properties are merged into a single user account so as to remove duplicity from the AD database. This in turn helps is improving the performance of the Exchange servers.

The functionalities of the Active Directory Cleanup Wizard can be summarized as follows:

• It identifies all the duplicate objects to be merged by searching in the Windows NT accounts
• Reviews and modifies the merge operations after the selection of accounts
• Exports and imports list of accounts so that administrators can save the details of the merge operation as a .csv file for the purpose of review.
• order to run the wizard, command line tools can be used.

One must not forget that Active Directory Cleanup Wizard cannot be used for cleaning up the server metadata. In fact, to perform this particular task another utility, ntdsutil.exe is used. Ntdsutil.exe is a command line tool that is primarily meant for metadata cleanup procedure. This utility is a default tool installed on each domain controller. In the entire procedure of metadata cleanup, every Active Directory data used to recognize the domain controller during the replication procedure is removed. The metadata cleanup procedure is very much appropriate, but only for those domain controllers which were not demoted using the utility dcpromo.exe.

On a domain controller that is running Windows Server 2003 with Service Pack 1 (SP1), if one runs ntdsutil.exe, then it can also remove File Replication Service (FRS) connections. In addition, the procedure also transfers the FSMO roles (master operation roles) held by the demoted domain controllers.

Here are necessary steps that you need to follow in order to carry out a metadata cleanup method:

To clean up server metadata:

1. Open a command prompt.
2. Type the following command, and then press Enter: ntdsutil
3. At the ntdsutil: prompt, make sure one type: metadata cleanup
4. At the metadata cleanup: prompt, type: remove selected server ServerName Or remove selected server ServerName1 on ServerName2
5. In order to confirm whether the server has removed or not, type list servers in site, and then press Enter.
6. Make sure that the domain controller that you are looking to remove is not displayed in the command output.
7. At the metadata cleanup: and ntdsutil: prompts, type: quit

Active Directory Backup

The Active Directory service generally operates as a database that contains all the required information about an entire network. Consequently, it gets very important to have a proper backup of this Active Directory database as it helps in avoiding any kind of disastrous condition. Active Directory is generally backed up as a part of a system state or a collection of system components depending upon each other. Therefore, it is very compulsory that administrators backup and further try to restore every single system component like system registry, class registration database, boot files, AD database, transaction logs and the reserved transaction logs together.

In order to effectively restore data from a backup, it is really very important that the Active Directory backup should be performed smartly. Besides this, it also needs to be recreated after regular time periods. It is necessary to choose the domain controllers which must be backed up as well as the backup content. However, it is important to note that any backup that is older than the tombstone lifetime (TSL) value (default 60 days) set in the AD can never be considered as a fine backup.

Restoring the Active Directory

In situation where database gets corrupted in Active Directory or any hardware or software failure take place, it is very important that administrators restore the data from the available Active Directory backup as soon as possible. Furthermore, restoration is compulsory when any AD object gets deleted or modified. However, there are many different ways using which Active Directory database can be restored. Out of those different ways Active Directory's own replication process is one. Upon replication, almost entire and the latest changes or modifications get synchronized in every domain controller. The Backup utility can be utilized for restoring the replicated content from the backup copy without any requirement of reconfiguring the domain controller.

Selection of the appropriate restoration method

There are three different types of restoration procedure using which administrators can restore the backup data of a corrupt Active Directory. Following are the details of Active Directory backup methods:

Primary restore: This method is very effective in situation when all the domain controllers of a domain get lost and there is an urgent requirement for recreating the domain from the scratch. The Primary recovery method works by rebuilding the first domain controller in the domain. The primary restore can be conducted on local computer by the group members, provided that the members are delegated for this responsibility.

Non-authoritative (Normal) restore: Normal restore method restores the data present in AD to the state before the backup was created. The data is then upgraded through the replication process. This method can be performed on a domain controller only by the domain admin.

Authoritative restore: In an authoritative restore method, some explicit data is marked as current, which is further prevented from getting overwritten all through the replication procedure. Later in tandem with the normal restore method, the current authoritative data is replicated through the domain. During an authoritative restore method, every single change made to restore an object, which occured after the backup gets lost. Ntdsutil, a command line utility can be used to carry out an authoritative restore along with system utilities of Windows Server 2003.

Active Directory Reporter

Reports generated for different activities that are conducted on the Windows Active Directory play a very important rile for administrators in keeping a proper record for reference use. In fact, the Active Directory report facilitate administrators with much needed significant information about AD infrastructure along with Ad components that includes objects, domains, sites, groups, OUs, etc. Active Directory reporter tools are helpful applications which also assist in generating routine, configuration and audit Active Directory reports. These reports facilitate in processing data about user accounts, service level availability issues, Active Directory trending, etc.

The AD management pack for Microsoft Operations Manager (MOM) offers a predefined set of reports which are specially developed to observe the performance as well as the availability of all the Active Directory services. The management pack for MOM generates complete reports, including those on service availability and reports that provide estimation on capacity planning.

However, the AD replication monitoring report is disabled in the management pack by default. So, if you wish to enable this report, administrators need to enable the data collection report using the configuration information provided in the Active Directory Latency Performance Data Collection- Sources Rule Group descriptions. The Active Directory reporter utility of the Management Pack offer diverse types of reports, some of them are explained in the next section.

Some of the reports which provide data about AD configuration information are mentioned below:

• AD Domain Controllers: It provides a complete list of all domain controllers, along with their IP addresses and sites within a selected domain.
• AD Role Holders: It offers a list of all computers which hold one or more operations master role or act as global catalog servers.
• AD Replication Objects: It summarizes the AD replication topology and then provides offers a list of connection objects.
• AD Replication Links: It provides the outline of current replication site link configuration for Active Directory.

Reports which provide information about Active Directory disk space are as follows:

• AD DC Disk Space: This report summarizes the disk space usage and free space for Active Directory database and log volumes. This report proves very helpful for administrators as it let them to predict the volume sizes depending upon the current growth rate.

The reports through which administrators obtain information about Active Directory operations are given below:

• AD Domain Changes: This report provides data in relation to the noteworthy changes that are made in the domain like addition or elimination of domain controllers and movement of PDC emulator operations master.
• AD Machine Account Authentication Failures: This report summarizes data regarding to workstations which are not able to authenticate and therefore prevent Group Policy updates and software distribution to computers.
• AD SAM Account Errors: Provides report on events which point towards the SAM that has detected an error and provide info on corrective guidance.

Reports which provide information on Active Directory replication process are as follows:

AD Replication Bandwidth: This report provides a synopsis for both uncompressed and compressed replication bandwidth over a selected period. This report is very effective in capacity planning.

AD Replication Latency: The report provides data about nominal average and maximum replication latency per naming context, per domain controller. In fact, the report can be used to confirm service legal agreements (SLA) within a domain or forest.

Active Directory Utilities

Active Directory's directory services maintenance utility (ntdsutil.exe) is one such effective command line tool that is primarily used for providing management facilities for the AD. Maintenance of Active Directory database along with the proper management and hold of single master operations, creation of application directory partitions, elimination of metadata left by domain controllers, SAM management, retuning of DSRM password, transferring FSMO role to a domain controller and many additional tasks can be conducted by making a proper use of directory services maintenance utility. This menu-driven tool has been developed for interactive use. Though, it can also be run by taking help of scripting commands.

Some of the most frequent jobs that can be conducted by utilizing ntdsutil.exe have been summarized below:

1. Authoritative restore: In an authoritative restore, definite data that has been marked as current is protected from getting overwritten throughout the replication process. During an authoritative restore procedure, all the changes that were made to repair and retrieve an object, which occur after creating the backup, are lost. Ntdsutil.exe is used to carry out an authoritative restore in tandem with system utilities of Windows Server 2003.
2. Configurable Settings: Manages and controls configurable settings.
3. Domain Management: Used for creating Naming Contexts and adding replicas to the Application Directory Partition of DNS.
4. Files: This functionality is offered merely on booting the server into Directory Restore Mode. It just plays a role of examining the integrity of NTDS.DIT and moving all related databases.
5. Roles (FSMO maintenance): Used for mapping the single operations master to the equivalent domain controller. For this function, ntdsutil.exe must be utilized together with NetDom or Active Directory snap-ins.
6. Reset DSRM password: Using this utility, it gets lot easier to reset the password of directory service recover mode.
7. Security Account Management: Meant for checking up the duplicate SIDs, especially during metadata cleanup.

Active Directory utilities are available with Windows server 2008 and Windows server 2008 R2, provided the AD DS and AD LDS server role are installed. Ntdsutil.exe is obtainable upon installing Active Directory Domain Services Tools, which are part of RSAT (Remote server Administration Tools).

Mentioned below are the steps that are necessary for running the command line utility ntdsutil.exe:

• Click Start> right click Command Prompt> Run as administrator
• In the elevated command prompt run ntdsutil.exe.

Reader, always remember in situation where only AD LSD server role is installed and not AD DS server role, Active Directory utilities such as dsdbutil.exe and dsmgmt.exe must be utilized in place of ntdsutil.exe for conducting the same required jobs.

Active Directory Viewer

If you are looking to navigate through the entire Active Directory database without facing any difficulty, then make sure you view the properties and attributes of objects. Adding to that you also need to view the AD schema and execute searches. Fortunately, Microsoft comes with Active Directory Explorer (AD Explorer). This AD Explorer is basically an advanced Active Directory viewer and editor using which any administrator can go across through the AD internal structure. Adding to that administrator can also view the properties, permissions and edit the attributes of AD objects without opening separate dialog boxes.

Apart from being used as an Active Directory viewer, AD Explorer is also capable of saving the snapshots of the AD database for viewing or comparing them offline. Once a saved snapshot is loaded, it is possible to navigate through it and explore it with the help of the AD Explorer. The comparison functionality of this viewer helps administrators to compare two snapshots of Active Directory database in terms of changes made in the objects, attributes and security permissions.

This particular utility is quite similar to another Active Directory viewer ADSI Edit which supports Windows Server 2003 and 2008 R2, even though ADSI Edit lacks the snapshot functionality. Furthermore, in AD Explorer, it is possible to book mark the AD objects which is often handy while viewing same objects repeatedly. Another advantage that AD explorer offers is fast navigating speed between objects that offered by the ADUC snap-in. With just a single click, all the object attributes can be viewed using AD Explorer. Moreover, the values of object attributes can be copied to the clipboard and emailed

Modification of Active Directory objects is also possible with AD Explorer, however not all objects can be modified, especially if they are once deleted. Thus, reanimating tombstone objects is not possible with AD Explorer. Also, the snapshots created with this Active Directory viewer utility cannot be used as a backup. Furthermore, the comparison report or output of two snapshots cannot be exported. If the Active Directory is the current mode, the AD explorer does not allow snapshots to be taken.

Active Directory Query

In case you are looking to search particular information in the Active Directory structure, then definitely you have to spend too much time. No doubt, for administrators it is a boring job without the help of structured queries. But by making a proper use of Active Directory query, situation gets lot better as it let you locate users, groups, computers, contacts, OUs, subnets and servers as well. Of the many command-line tools available for Active Directory management with different versions of Windows server, the Dsquery tool is one such utility that can be used as an Active Directory query utility. By using this software explicit search criteria can be run through queries that may even further assist in searching required information quickly. This built-in tool is available if Active Directory domain Services (AD DS) server role is installed.

The dsquery command is run from an elevated command prompt. Following are the steps to open it;

Click Start, right-click Command Prompt and click Run as Administrator.

Following are various syntaxes that are used with the dsquery commands in order to search and explore Active Directory information:

1. Dsquery computer: Finds computer in the directory by matching the search criteria that you specified.
2. Dsquery contact: Finds contacts in the directory matching to the search criteria that has already been specified.
3. Dsquery group: Finds groups in the directory that matches to the criteria being specified. Kindly note that if the defined search criteria in this command proves insufficient, then you must make use of the general version of the query command, dsquery *
4. Dsquery ou: Search and find organizational units (OUs) in the Active Directory data store that actually match the search criteria being specified. Just, in case if the defined search criteria in this command are inadequate, there is option of making use of more general version of the query command, dsquery *
5. Dsquery site: Finds site in Active Directory matching the specified search criteria. However, just like any other dsquery command, in case the predefined search criteria in the command are deficient, then you may also use more general version of the query command, dsquery *
6. Dsquery server: Finds domain controller servers as per the search criteria that a user specifies. However, if a situation arise where the predefined search criteria in this command turn out to be insufficient, then you may use more general version of the query command, dsquery *
7. Dsquery user: Finds user accounts in the Active Directory as per the search criteria. If the predefined search criteria in this command are inappropriate, make use of the more common version of the query command, dsquery *
8. Dsquery quota: Finds quota specifications in the directory data store that matches the specified search criteria. Quota specification is utilized for determining the maximum number of directory objects that a particular security principal can possess in a specific directory partition. If the search criteria that was specified in this command are inadequate, then it is important to utilize he more general version of the query command, dsquery *
9. Dsquery partition: Finds partition objects in Active Directory that matches the specified search criteria. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *
10. Dsquery *: As per the criteria mentioned in an LDAP query, the query searches for any Active Directory object.