Open "Find Printers" by Hyperlink

Microsoft Edge

# AutoOpenFileTypes: qds

GPO: Computer Configuration → Administrative Templates → Microsoft Edge → List of file types that should be automatically opened on download

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\AutoOpenFileTypes" -Force | Out-Null

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\AutoOpenFileTypes" -Name "1" -Value "qds" -PropertyType String -Force | Out-Null

# AutoOpenAllowedForURLs: 只允許 intranet.contoso.com

GPO: Computer Configuration → Administrative Templates → Microsoft Edge → URLs where AutoOpenFileTypes can apply

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\AutoOpenAllowedForURLs" -Force | Out-Null

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\AutoOpenAllowedForURLs" -Name "1" -Value "intranet.contoso.com" -PropertyType String -Force | Out-Null

          Verify: edge://policy

Google Chrome

用 PowerShell 取得電腦資訊、軟體清單等資料

 這支 Powershell Script 蒐集以下資訊並以 JSON 格式存到 Share Folder

LogonServer
Site
UserName
ComputerName
ComputerInfo
DiskInfo
Applications
NetworkInfo
GroupsInfo
LocalUsers

用 GPO 派送，目標 Share Folder 給予 User 建立 Child Object 權限
並給予 Creator Owner 刪除權限

以 User Name + Computer Name 為檔名，後加上日期年月日時分秒
保留最新的 5 個 Report

DFS-R 斷線過久不再進行複寫問題

EventLog DFS Replication 中出現 Event ID 4012

The DFS Replication service stopped replication on the folder with the following local path: C:\DFSR\Folder. This server has been disconnected from other partners for xxx days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected. 

To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group. 

下指令:

查詢 MaxOfflineTimeInDays 設定值:
wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig get MaxOfflineTimeInDays

指定 PowerShell AD Command 作用的 Domain Controller

 $PSDefaultParameterValues=@{
   "*-ADGroupMember:Server"="DC01.Contoso.com"
}

Add-ADGroupMember -Identity "GroupName" -Members "Dino9021"

Reference:

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_parameters_default_values?view=powershell-5.1

Store Birlocker Recovery Password To AD via GPO and Powershell

Computer Configuration (Enabled)
=> Policies
=> => Windows Settings
=> => => Scripts
=> => => => Startup
=> => => => => StoreBitlockerRecoveryRasswordToAD.ps1  

=======================================================
ACL Add Allow Domain Computers to Read and Execute
=======================================================
$keyID = Get-BitLockerVolume -MountPoint c: | select -ExpandProperty keyprotector |  where {$_.KeyProtectorType -eq 'RecoveryPassword'};

if ($keyID.KeyProtectorId -ne $Null) {
Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $keyID.KeyProtectorId;
};
=======================================================

Password Recover for Remote Desktop Connection Manager (RDCM 密碼找回)

1. 把 RDCMan.exe Copy 並變更副檔名為 dll => RDCMan.dll
2. PowerShell 指令: Import-module [Path]\RDCMan.dll
3. 用純文字編輯軟體 (ex: Notepad、Notepad++) 開啟儲存的 RDCM.rdg 檔案
4. 找到需要的連線目標項目裡面的 <password> 段並複製該段內容
5. 揮揮魔法棒實現還原魔法

GPO to Control Chrome Extensions

 圖片來源: 土豪哥

用 GPO 允許 User 安裝印表機驅動程式的設定

GPO

Computer Configuration
- Policies
- Windows Settings
- Security Settings
- Local Policies
- User Rights Assignment
- Load and unload device drivers 

Domain Users

Computer Configuration
- Policies
- Windows Settings
- Security Settings
- Local Policies
- Security Options
- Devices: Prevent users from installing printer drivers 

Disable

 Computer Configuration
- Policies
- Administrative Templates
- System/Device Installation/Device Installation Restrictions
- Allow installation of devices using drivers that match these device setup classes 

Computer Configuration
- Policies
- Administrative Templates
- System/Driver Installation
- Allow non-administrators to install drivers for these device setup classes

上面這兩個設定中原本只有以下這兩個:
{4658ee7e-f050-11d1-b6bd-00c04fa372a7}
{4d36e979-e325-11ce-bfc1-08002be10318}

Windows 10 & Windows 11 會一直出現 Driver is unavailable
查到還要再加下面這個就正常了:

查軟體清單 Software List 的工具

JSJSS

開源x節流：企業應用經驗分享 (一)+(二) [2017/02/03] @臺中市政府 (slideshare.net)

WinAudit

開源、軟體工具、不用 Server (當然也可以把資料存到 Server)

Computer Account Startup Script:

\\Server.Contoso.com\WinAudit$\WinAudit.exe /r=gous /T=datetime /f=\\Server.Contoso.com\WinAudit$\Logs\%computername%_macaddress.csv

抓出 AD User Account Object 最後一次被異動的時間與內容

 簡單版只有抓時間:

    Get-ADUser UserName -Properties * | select-object whenChanged

複雜版什麼鬼東西都抓出來 (JerryChang 大魔神提供)

    Get-ADReplicationAttributeMetadata `
        -Object "CN=UserName,OU=User,DC=Contoso,DC=com" `
        -Server DC.Contoso.com | Select-Object `
             AttributeName, `
             AttributeValue, `
            LastOriginatingChangeTime, `
            LastOriginatingChangeDirectoryServerInvocationId | Out-GridView

列出特定 OU 下帳號的密碼到期日 & 重設密碼到期日

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -SearchBase "OU=CorpUsers,DC=contoso,DC=com" –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed","passwordlastset","Passwordneverexpires","LockedOut" | Select-Object -Property "Displayname","passwordlastset",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}},"Passwordneverexpires","LockedOut" | ft

搭配以下指令重設密碼到期日

set-aduser -ChangePasswordAtLogon:$true

set-aduser -ChangePasswordAtLogon:$false

WFH (Work From Home) 的情況下如何 Reset Computer Account Password

這個應該是用不到啦，畢竟就已經跟網域脫離關係，應該是用 Cache Credential 來登入作業系統
所以應該不會遇到 Computer Account Password 說過期，失去網路信任關係的問題

但如果有需要的話，VPN 先連上，然後下 PowerShell 指令

Test-ComputerSecureChannel -server DC.Contoso.com -credential Contoso\Adminstrator -repair

WFH (Work From Home) 的情況下重新登入網域取得帳號 Member Of 資訊的辦法 (重新登入作業系統)

User 在家工作一段時間
遇到密碼過期或因為需要取得帳號 Member Of 屬性
而需要在已經連接網域網路的情況下重新登入作業系統

先以 Local Account 登入作業系統
再以 Windows 內建的 VPN，或 SoftEther VPN 也可以，連接好之後
敲 Command: tsdiscon 切換帳號 (Switch User)
這時 VPN 連線會持續存在，但可以換 AD Domain User Account 登入了
此時就能變更密碼、取得最新的 Momber Of 資訊及 GPO 等

取得 AD 群組成員階層結構 Get AD Group Members Hierarchy

先參考這篇 取得 AD 群組成員的指令 Group Members List 

本篇為進階用，產生報表用

#-------------------------------------------------------
$OUFileter = 0
$UserOU = "OU=Users,DC=Contoso,DC=com"

$Groups = @()

$Groups += "Users_Group"
#-------------------------------------------------------

以 Logon Script 幫 User 更換印表機

基於某些原因有時候我們要幫 User 變更印表機

比如 Printer Server 換一台了，或是租賃的影印機換一台之類的

通常對於電腦操作較熟悉的 User 用搜尋安裝就可以了 (AD 環境下有做好相關設定)

但某些人就是需要你幫忙

為了成為一位體貼 User 的 MIS，用 GPO 派送 Script 去更換印表機也是很正常的事情

以下 VBS 是非常多年以前寫的，變數的部份很偷懶就直接用兩個陣列下去自己代 Printer 進去就好

反正這種東西只是臨時性的，程式寫醜一點無所謂

設定好後可以用 GPO 設定 User 在登入時執行，Script 邏輯:

1. 記下 User 有哪幾台
2. 記下 User 的 Default Printer 是哪一台
3. 刪除 Printer
4. 新增 Printer (on New Server)
5. 設定 Default Printer

===== 程式開始 =====

Dim PrinterToReplace

Dim PrinterReplacement

' PrinterToReplace 與 PrinterReplacement 欄位數量必須相同

' 下例: 

' "\\Printer1.Contoso.com\HPPrinter1" 更換為 "\\Printer1.Contoso.com\HPPrinter1"

' "\\Printer1.Contoso.com\HPPrinter11" 更換為 "\\Printer2.Contoso.com\HPPrinter12"

取得 AD 中 Windows Server 作業系統的 Computer Account 與 IP 位置

取得 AD 中 Windows Server 作業系統的 Computer Account 與 IP 位置

(Get-ADComputer -Filter {OperatingSystem -Like "Windows Server*"} -Property Name,OperatingSystem,OperatingSystemServicePack) | ForEach-Object {
try{
$DNS = Resolve-DnsName -Name $_.Name -ErrorAction Stop
} Catch{
}
write-host ('"' + $_.Name + '","' + $_.OperatingSystem + '","' + $_.OperatingSystemServicePack + '","' + $DNS.IPAddress + '"')
};

修正 Network Location Public / Private / Domain 的問題

經常發生 Domain Computer / Server 開機完畢後 Network Location 是 Public 造成 Firewall Profile 影響到連線的問題
因此寫了一個簡單的 Powershell Script 放在 GPO 讓電腦開機就去檢查一遍並進行修正
原理很簡單，先用 Get-NetConnectionProfile 查出目前的網路 Profile 是不是 Domain
如果不是 Domain 就 Restart Network Awareness Locaion 這個 Service

使用 Let's Encrypt 來作為 VDI - RDCB 憑證時更新 GPO 派送 Thumbprints 的處理

連接 RemoteAPP 或 VM 的時候會跳出以下訊息
A website is trying to run a RemoteApp Program. Make sure that you trust the publisher before you connect to run the program
This Remoteapp program could harm your local or remote computer.

已知這個必須以 GPO 派送 RDCB 憑證的 Thumbprints
GPO 設定路徑如下:

Windows Components\Remote Desktop Services\Remote Desktop Connection Client

>> Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
但要使用 Let's Encrypt 這種兩、三個月就要更換一次憑證的免費方案的話
還要手動更新 GPO 設定中的指紋太麻煩了，於是找到相關的 PowerShell 指令可以用

搭配服用: 使用 PowerShell 自動佈署基於 Let's Encrypt 公開憑證的 Microsoft RDS (VDI/RemoteApp) 環境

Step-by-Step Guide for upgrading SYSVOL replication to DFSR (Distributed File System Replication)

以下文章非本人撰寫，僅為預防出處網頁有一天不存在而轉載
This Article is not written by myself.
Just a backup in case of the original one might be offline someday.
All credit goes to http://www.rebeladmin.com

Origin URL：
http://www.rebeladmin.com/2015/04/step-by-step-guide-for-upgrading-sysvol-replication-to-dfsr-distributed-file-system-replication/

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD. All the domain controllers in network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can define when you install the active directory.

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later uses Distributed File System (DFS) for the replication.  DFS is more efficient than FRS. Since windows server 2003 is going out of support, most people already done or still looking for migrate in to latest versions. However migrating FSMO roles WILL NOT migrate SYSVOL replication from FRS to DFS. Most of the engineers forget about this step when they migrate from windows 2003 to new versions.

For FRS to DFS migration we uses the Dfsrmig.exe utility. More info about it available on https://technet.microsoft.com/en-au/library/dd641227(v=ws.10).aspx

WSUS Windows Update Auto Approve after One Month 延後一個月自動核准

WSUS 沒有內建延遲 Approve 的功能
但是微軟釋出的更新常常會出包, 有的隔天就回收, 有的兩周內回收, 再釋出新版
為了避免中招當白老鼠, MS 的建議是要建立測試環境然後手動 Approve
問題是有多少公司企業有這種美國時間跟人力呢?

不要在更新一發佈就立刻 Auto Approve 我覺得是權宜之計
但還是無法完全避免 Update 與應用程式發生相容性問題
若要做到延遲 Approve 就會需要用到 PowerShell 了
首先 WSUS 不要設定 Auto Approve
然後參考以下 Script 每天執行就好了 (可以附帶執行 Clean Up , 參考這篇)

*. 紅字部分的判斷可加可不加, Malicious Software Removal Tool 在被取代後並不會立刻 Superseded