Finding Windows Phones in Active Directory

Posted November 13, 2011

I’ve been messing with ADSIEdit a little and found a strange looking container as a subcontainer of my AD user account in my home’s AD. Since I’m running Exchange here and my personal phone is connected to it, it turns out that Exchange creates this account for “Active Sync” devices. In my case, Exchange stores information about my Windows Phone:

Information stored include last four digits of the telephone number, carrier, build number of the OS, it’s name and the user agent. Ha.

The objects are of objectClass msExchActiveSyncDevice as you can see in the CMD. I specifically asked for it in ADFind. Note that the objects have special security applied to them, so “normal” users can’t read them.

In the case of Windows Phone, you could check who in the company has already updated to Mango (msExchDeviceUserAgent=*.7720) and so on. Funny and scary that info is around at the same time.

Posted in - Active Directory - Comments(0)

Cross-Forest Group Policy application

Posted October 30, 2011

After a couple of weeks without new postings on the blog, here goes a Windows and Group Policy behavior that I have been discussing with a customer lately. This is all about Group Policy application when considering a cross-forest logon.

Thinking about Group Policy application, under “well-known”, normal circumstances, both the user and the computer account reside in the same Active Directory domain but in different OUs. During computer startup, computer Group Policy is applied, where the computer evaluates its current OU location and walks up the OU tree to the domain name node, evaluating all GPOs linked on that way. After that, site-based GPO is evaluated. On that OU-tree way up, the computer considers only those GPOs that have Computer Configuration settings applied.

The same thing happens for a user. Based on the OU from the user, the Group Policy walks up the OU tree evaluating all User Configuration Group Policies on every node up to the domain node. After that, site-based GPOs are evaluated.

Read more »

Posted in - Active Directory, Group Policy - Comments(5)

You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer

Posted September 8, 2011

In case you haven’t seen this, I’ll post a link to a new KB article here, as a couple of customers ran into this:

You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer“, http://support.microsoft.com/?kbid=2561285

There’s a hotfix for Win7 and Server 2008 R2 available.

Posted in - Active Directory, Group Policy - Comments(0)

Next Page »