Microsoft released a series of patches that broke user group policies - Resolution

Microsoft released a series of patches that broke user group policies. Below is a snippet from the TechNet blog at https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/.

We released new security patches for all currently supported Operating Systems. Among those patches was this one: MS 16-072, which is also referenced as KB 3163622. OS Specific articles are released as 3159398, 3163017, 3163018, and 3163016.

KB 3159398 – Vista, 2008, 7, 2008 R2, 2012, 8.1, 2012 R2
KB 3163017 – Windows 10 TH1
KB 3163018 – Windows 10 TH2 and Server 2016 TP4
KB 3163016 – Server 2016 TP5

NOTE: The AskDS blog also has some excellent content out there on this topic that can be found here.

After applying the appropriate patch to your systems, User group policies are retrieved from SYSVOL differently than before. Prior to the update, domain joined computers used the user’s security context to make the connection and retrieve the policies. After the update is applied, domain joined computers will now retrieve all policies using the computer security context. The users that get the policy is still controlled by the policy scope just like before. The only change is the computer is getting the policy for the user.

Ones that still had the default security scope of “authenticated users” typically still worked because that also grants the permission to any domain authenticated computers.

To work around this change, the computer account will need “read” access to all GPOs in order to evaluate whether the user policies are applicable. I used group policy to grant the “domain computers” group read access to all existing group policies, and modified the security descriptor in the defaultSecurityDescriptor property of the CN=Group-Policy-Container object in the AD schema so that new policies will get this permission by default. I have tested this and it seems to have fixed the issue in new and existing group policies. I originally thought this may be directly related to Windows 10 being that’s where I was seeing it, but I guess not. If you have had issues with user group policies lately, this was probably the problem.

Below is exactly what I did to fix the issue.

From an elevated PowerShell prompt I ran:
Set-GPPermissions -all -PermissionLevel GpoRead -TargetName “Domain Computers” -TargetType Group

That grants the "domain computers" group read permissions to all of the existing group policies. This will not remove any other permissions that were already granted to that group.

Next I logged in to the domain controller that holds the operations master role. From there you can open ADSIedit and connect to the schema naming context. Find the CN=Group-Policy-Container object, right-click and click properties. Locate the defaultSecurityDescriptor attribute, and click edit. Append (A;CI;LCRPLORC;;;DC) to the end of that string. This will grant the "domain computers" group read access to any new group policies that are created in the domain.

Filter Security Event Logs by User in Windows 2008 & Windows 7

If you are like me, you probably miss being able to easily filter your security event logs by a specific user like we did in previous versions of Microsoft Windows. Well, it is still possible in Windows 2008 and Windows 7. You just need to use the XML filter option. When you are in the security event logs, click on "Filter Current Log..." from the actions pane. Click the XML tab of the window that opens, and check the box next to "Edit query manually".

Forceful Demotion of a Dead Domain Controller

If one of your domain controllers dies on you, then you cannot gracefully demote it. So, when this happens there are a few things that you need to do to remove it from the domain and cleanup the mess that this failure created.

The first step is to jump on one of your remaining domain controllers that's running Windows 2003 SP1 or newer.

IIS Log Management Script in Powershell

IIS logs on a busy webserver can use up a lot of disk space. I wrote this little powershell script that I schedule to run on all of my web servers. It goes in and deletes out any IIS logs older than 1 year. Then it compresses any IIS logs that are left which are older than 1 day and are not already compressed. You can change the length of time for these to suit your needs by changeing the numbers in the "AddDays(-123)" parts of the script. Just make sure it's a negative number, or else you won't have any logs left.

How to Configure Your Page File to Save Disk Space

Written by Greg Kjono

There are a couple of hidden files that typically use up a lot of disk space, especially in systems that have large amounts of RAM. These are the pagefile.sys and hiberfil.sys. Hiberfil.sys can be deleted if you don't use the hibernation feature. Instructions on how to do that are available at http://nerdsknowbest.blogspot.com/2013/01/how-to-delete-hiberfilsys-on-windows.html.

I don't recommend completely removing the pagefile, especially on desktops and laptops, however. You can configure them to not use so much disk space though. By default they are set to "system managed" and are probably close in size to the amount of memory you have in your PC. Chances are that you aren't actually using most of that space in the page file, and that your computer is just allocating that space in case it needs it in the future.

Error! Windows - No Disk: Exception Processing Message c0000013 Parameters 75a851d8 979a26dc 75a851d8 75a851d8

This is one of those errors that doesn't really give you any information to go on. All you really get is this popup message that say Windows - No Disk: Exception Processing Message c0000013 Parameters 75a851d8 979a26dc 75a851d8 75a851d8.

Phantom space used in Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista

A common issue that has baffled a lot of administrators is where a large amount of disk space is showed as in use, but they can’t find the files that are using it. For example, ff you go to the root of the C: drive, select all of the files, right-click, and click properties. The amount of space shown as used on that properties window isn’t nearly what it should be if you deduct it from the size of the drive and compare your results to the free space that Windows explorer, or my computer shows.

There are a couple things that most often contribute to this. The first is a bloated, oversized $TOPS file. You can set your system to specify that the Transaction Resource Manager will clean the transactional metadata on the next mount, or reboot.

How to delete hiberfil.sys on Windows 2008/Vista/Windows 7

In Windows 2008, 2008 R2, Vista and Window 7, disabling hibernation via Power Options in the control panel doesn't get rid of the hiberfil.sys file. This file is usually equal to the amount of memory your system has, so it eats up a lot of disk space. This is  especially true if you have a lot of memory which is common on servers, or a small amount of disk which is common on virtual machines. To get rid of this file and free disk space, just run the following command from an elevated, or administrative command prompt.