Disable install certificates on a desktop computer for users


Below I put how to block that a user cannot install certificates on a desktop.


In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:


The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System


There we add the following exe´s:







And add a new user group denying permissions.


When user will do double click will appear the following message.



Configure Outlook Anywhere with GPO for Outlook 2003


In Outlook 2003 adm you can´t unfortunately configure Outlook Anywhere settings and I done it with old school procedure:

Open GPMC and make a new GPO, go to GPP and execute wizard, go to fins a a desktop computer with Outlook well configured, and import from  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a the following entries:

“00036623”= Enable Exchange Proxy settings and control various check boxes.
“001f6622″=  For specifying Exchange proxy server name
“001f6625″=  For specifying Exchange proxy server name according to principal cert name.
“00036627”= For Authentication – Basic or NTLM

Take care that is posible that users has various Outlook profiles. Then you need to add the same but changing the registry path HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a in subfolder Outlook by other name profile.

Also, you can configure targeting in every configuration path for only apply to users that has an existent profile.

Ah, this gpo is only for user!

Regards and best practices!

Warning in Win XP accessing to HTTPS websites


Today an end user told me that when she go to a secure website (HTTPS) it show a warning message like that:


The problem is that she is using Windows xp an need a fix to solve it, she can´t access to any website with HTTPS. The issue is interesting because affect to all certificates with less than 1024 bits. Here I put the link to the KB.




How to increase MaxTokenSize


When users pertain a lot of groups or sid history has a lot of passwords this do that the token size to be increased too much. To solve this error you have two options, reduce the user group membership, reduce password history or increase the token size, (How interact a token when a user go to authenticate: http://technet.microsoft.com/en-us/library/cc783557(v=ws.10).aspx)

For the second option you can do the following reconfiguration on the workstations:



Entry: MaxTokenSize
Data type: REG_DWORD
Value: 48000

By GPO do the following configurations:



Import pfx certificate with certutil through vbscript

After I have exported all certificates with private key I developed this script that import all pfx in the user´s personal store.

Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set shell = CreateObject(“WScript.Shell”)
Const ForAppending = 2
Dim objFSO:Set objFSO = CreateObject(“Scripting.FileSystemObject”)

objStartFolder = “C:\Temp”

Set objFolder = objFSO.GetFolder(objStartFolder)

Dim ext

ext = “”

Set colFiles = objFolder.Files
For Each objFile in colFiles
ext = Mid(objFile.Name, len(objFile.Name) – 3, len(objFile.Name))
if (ext=”.pfx”) then
shell.run “certutil.exe -user -p 12345678 -importpfx c:\temp\” & objFile.Name
end if