How to solve Know Issue on MS16-072

Microsoft release MS16-072: Security update for Group Policy: June 14, 2016

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.

The issue was that all user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using security filtering, add the Domain Computers group with read permission.


Doing that manually it’s a nightmare… but powershell can help. With this script you can deploy ‘Read’ permission for “Authenticated Users” on all GPOs or only where needed because “Domain Computers” group with ‘read’ permission and/or it’s a “Per-User Setting” GPO. If you what to be restrictive, enable -checkDomainComputer and -checkPerUserSetting.


How to send email to users with approacing password expiration

I created and scheduled a script for send email when the user password expiration is approaching.

We are on a international company, so this script have an option to specify a file where the mail body is written in the appropriate language and with the appropriate info.

Here the parameters of Send-PasswordNotify.ps1:

  • notificationGroup: it’s the Active Directory group the have the users that should receive the password expiry notification.
  • emailBodyFile: the text file that contain the body of email (the default option is mailbox.txt).
  • logFile: This is a Boolean option. If $True a log file (Send-PasswordNotify.log) is created. By default is $False. You can change the path of logfile at line 51
  • eventLog: This is a Boolean option. If $True an entry on eventlog (Scripts) is written. By default is $True.
    NOTE: You should enable/create the eventlog running this command once:

    New-EventLog -LogName "Scripts" -Source Send-PasswordNotify

    You can change the eventlog where send the info atn line 49. If you change the eventlog, remember also to enable it for this script with the command above. Example: New-EventLog -LogName “Application” -Source Send-PasswordNotify

On Send-PasswordNotify.ps1 at lines 43-51 you can fine the parameters that you can adjust, like days before the expiration, smtp server, etc.

Copy Send-PasswordNotify.ps1 and mailbox.txt on the same folder.


Error:The DFS Replication service detected a conflict between two or more nTDSConnection objects while polling for configuration information

I had this warning on a bad wan connected DC:

Log Name: DFS Replication
Source: DFSR
Date: 30/03/2016 02:27:44
Event ID: 6004
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: [ServerName]
The DFS Replication service detected a conflict between two or more nTDSConnection objects while polling for configuration information. The DFS Replication service resolved the conflict between CN=1a46e70a-b0f5-410f-afdd-7049b1685292,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=b1f0fddb-18cc-459a-9891-15458f6c9a06,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=b377e129-e214-4c52-bbe8-867686db3cb7,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=c037d3d8-16cb-4ede-bf82-c2c72c025ea5,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=82dff205-bc51-4f00-bf18-c47e96215608,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local by using CN=ee5b0d6a-d843-48e5-8d8c-b3164dfa4b1a,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local.

This error means that there are some connection objects conflicting. To solve it run ADSI Edit and connect to “Configuration” naming context


and delete the connection objects listed in the event where the conflict was detected, making sure to leave the object after “by using” in place because it’s the working connection.

Right click on connection object:

CN=1a46e70a-b0f5-410f-afdd-7049b1685292,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local

and delete it.

Repeat the process for any additional connection object on eventlog.




How to configure Network Adapter DNS settings for a Domain Controller

When we came to DNS Client settings on domain controller there is always a bit of confusion about what we should set as preferred DNS servers in to the network adapter configuration.

Here the common rules:

  • Primary DNS: If possible a DC of the same domain on the same site. If not define a well connected DNS (use the same DNS server as not-site alternative on every DCs)
  • Secondary DNS: PDCe
  • Third DNS: (if the DC is also a DNS)


  • Clear the automatically added ::1 as the primary and only DNS server for the IPv6 stack unless you actively use IPv6.
  • Use the loopback address, but not as the preferred server. Set it as the last server in the order. When referencing itself as DNS, you should always use a loopback address and not a real IP address.
  • DCs should have at least two DNS client entries.
  • all DCs in a domain should be running DNS and hosting at least their own DNS zone; all DCs in the forest should be hosting the _MSDCS zones.

Do not:

  • Use the server’s own IP as the primary. This to avoid various DNS islanding and performance issues that can occur.
  • Disable IPv6 entirely.

How to Dump users “proxyAddresses” attribute with PowerShell

On Active Directory “proxyAddresses” and other multi-valued attributes are not so easy to export to a CSV via the Export-Csv.

This script dump all contact objects inside the specified OU to a CSV File:

ipmo activedirectory

$contactou = "OU=Contacts,OU=Domino Objects,DC=MYAD,DC=LOCAL"
$datesuffix = get-date -Format yyy-MM-dd_HHmmss

$allcontacts = get-adobject -filter {objectclass -eq "contact" } -searchbase $contactou -property DistinguishedName,ObjectGUID,proxyaddresses

$allcontacts | select DistinguishedName,ObjectGUID,@{Name='proxyAddresses';Expression={[string]::join(";", $($_.proxyAddresses))}} | export-csv -delimiter ";" -notype alldominocontacts_$($datesuffix).csv

This script instead read a CSV file and replace the “proxyAddresses” attribute:

Import-Csv "alldominocontacts.csv" -delimiter ";" | ForEach-Object{
    $guid = $_.ObjectGUID
    $proxyAddresses = $_.proxyaddresses -split ';'
    $find = Get-ADObject -filter {(objectGUID -eq $guid)} -searchbase "OU=Contacts,OU=Domino Objects,DC=MYAD,DC=LOCAL" -Properties Name,ProxyAddresses
    Write-Host "Contact:"
    Write-Host $find.Name
    Write-Host "Current ProxyAddresses:" $find.proxyaddresses
    Write-Host "Old ProxyAddresses    :" $proxyAddresses
    Set-ADObject -Identity $guid -Replace @{proxyAddresses=$proxyAddresses}    
    Write-Host "-----------------"

Keep in mind that I’m using “;” as delimiter.

If you want to export all the proxyAddresses values of the contacts objects with an X500 address you can use LDAPFilter option:

Get-ADObject -SearchBase "OU=Contacts,OU=Domino Objects,DC=MYAD,DC=LOCAL" -LDAPFilter "(&(objectClass=contact)(proxyAddresses=X500:*))" -Properties DistinguishedName,ObjectGUID,proxyaddresses | Select DistinguishedName,ObjectGUID,@{Name='proxyAddresses';Expression={[string]::join(";", $($_.proxyAddresses))}} | Export-Csv -Path .\ContactsWithX500Addresses.csv

If you want to remove an explicit entry:

Get-ADObject -SearchBase "OU=Contacts,OU=Domino Objects,DC=MYAD,DC=LOCAL" -LDAPFilter "(&(objectClass=contact)(proxyAddresses=X500:wrong))" -Properties DistinguishedName,ObjectGUID,proxyaddresses | %{Set-ADObject -Identity $_.ObjectGUID  -Remove @{proxyAddresses='X500:wrong'}}

If you want to remove all the X500 entries:

$users = Get-ADObject -SearchBase "OU=Contacts,OU=Domino Objects,DC=MYAD,DC=LOCAL" -LDAPFilter "(&(objectClass=contact)(proxyAddresses=X500:*))" -Properties DistinguishedName,ObjectGUID,proxyaddresses
foreach ($user in $users)
    $addressesToRemove = @($user.proxyAddresses) -like '*500*'
    if ($addressesToRemove.Count -gt 0)
        Set-ADObject -Identity $user.ObjectGUID -Remove @{proxyAddresses = $addressesToRemove}

To import again exported contacts proxyAddresses:

Import-Csv ContactsWithBrokenX500Addresses.csv | ForEach-Object{
    $guid = $_.ObjectGUID
    $proxyAddresses = $_.proxyaddresses -split ';'
    Set-ADObject -Identity $guid -Replace @{proxyAddresses=$proxyAddresses}