Below I put how to block that a user cannot install certificates on a desktop.
In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:
The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System.
There we add the following exe´s:
And add a new user group denying permissions.
When user will do double click will appear the following message.
In Outlook 2003 adm you can´t unfortunately configure Outlook Anywhere settings and I done it with old school procedure:
Open GPMC and make a new GPO, go to GPP and execute wizard, go to fins a a desktop computer with Outlook well configured, and import from HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a the following entries:
“00036623”= Enable Exchange Proxy settings and control various check boxes.
“001f6622″= For specifying Exchange proxy server name
“001f6625″= For specifying Exchange proxy server name according to principal cert name.
“00036627”= For Authentication – Basic or NTLM
Take care that is posible that users has various Outlook profiles. Then you need to add the same but changing the registry path HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a in subfolder Outlook by other name profile.
Also, you can configure targeting in every configuration path for only apply to users that has an existent profile.
Ah, this gpo is only for user!
Regards and best practices!
Today an end user told me that when she go to a secure website (HTTPS) it show a warning message like that:
The problem is that she is using Windows xp an need a fix to solve it, she can´t access to any website with HTTPS. The issue is interesting because affect to all certificates with less than 1024 bits. Here I put the link to the KB.
I´m starting an AD users and computers migration and sometimes users tell me that can´t see icons, files, favorities in IE, etc in their desktop.
The problem is that the Quest migration tool sometimes fails making a new user profile and not using the existing one. To solve the problem you need to change a registry key in the conmputer of the afected user.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and check the user failing profile SID. Open the key ProfileImagePath and erase .profile. Close and reboot the computer.
With this easy change the user will see again his old profile.
Here I put the link to the solution. https://support.quest.com/SolutionDetail.aspx?ID=14050
With this command you can reboot a machine remotely. Remember to do the command line with “run as”.
SHUTDOWN /r /f /t 0 /m \\<ServerName> /c “<Description>”
When users pertain a lot of groups or sid history has a lot of passwords this do that the token size to be increased too much. To solve this error you have two options, reduce the user group membership, reduce password history or increase the token size, (How interact a token when a user go to authenticate: http://technet.microsoft.com/en-us/library/cc783557(v=ws.10).aspx)
For the second option you can do the following reconfiguration on the workstations:
Data type: REG_DWORD
By GPO do the following configurations:
After I have exported all certificates with private key I developed this script that import all pfx in the user´s personal store.
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set shell = CreateObject(“WScript.Shell”)
Const ForAppending = 2
Dim objFSO:Set objFSO = CreateObject(“Scripting.FileSystemObject”)
objStartFolder = “C:\Temp”
Set objFolder = objFSO.GetFolder(objStartFolder)
ext = “”
Set colFiles = objFolder.Files
For Each objFile in colFiles
ext = Mid(objFile.Name, len(objFile.Name) – 3, len(objFile.Name))
if (ext=”.pfx”) then
shell.run “certutil.exe -user -p 12345678 -importpfx c:\temp\” & objFile.Name